The following issues were found
drivers/staging/rtl8188eu/core/rtw_wlan_util.c
16 issues
Line: 178
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void get_rate_set(struct adapter *padapter, unsigned char *pbssrate, int *bssrate_len)
{
unsigned char supportedrates[NumRates];
memset(supportedrates, 0, NumRates);
*bssrate_len = ratetbl2rateset(padapter, supportedrates);
memcpy(pbssrate, supportedrates, *bssrate_len);
}
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(supportedrates, 0, NumRates);
*bssrate_len = ratetbl2rateset(padapter, supportedrates);
memcpy(pbssrate, supportedrates, *bssrate_len);
}
void UpdateBrateTbl(struct adapter *Adapter, u8 *mbrate)
{
u8 i;
Reported by FlawFinder.
Line: 322
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
__le16 val;
memcpy((unsigned char *)&val, rtw_get_beacon_interval_from_ie(bss->ies), 2);
return le16_to_cpu(val);
}
int is_client_associated_to_ap(struct adapter *padapter)
Reported by FlawFinder.
Line: 462
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
pmlmeinfo->WMM_enable = 1;
memcpy(&pmlmeinfo->WMM_param, pIE->data + 6, sizeof(struct WMM_para_element));
return true;
}
void WMMOnAssocRsp(struct adapter *padapter)
{
Reported by FlawFinder.
Line: 697
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
pmlmeinfo->HT_info_enable = 1;
memcpy(&pmlmeinfo->HT_info, pIE->data, pIE->Length);
}
void HTOnAssocRsp(struct adapter *padapter)
{
u8 max_ampdu_len;
Reported by FlawFinder.
Line: 735
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
pmlmeinfo->ERP_enable = 1;
memcpy(&pmlmeinfo->ERP_IE, pIE->data, pIE->Length);
}
void VCS_update(struct adapter *padapter, struct sta_info *psta)
{
struct registry_priv *pregpriv = &padapter->registrypriv;
Reported by FlawFinder.
Line: 819
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* below is to copy the information element */
bssid->ie_length = len;
memcpy(bssid->ies, (pframe + sizeof(struct ieee80211_hdr_3addr)), bssid->ie_length);
/* check bw and channel offset */
/* parsing HT_CAP_IE */
p = rtw_get_ie(bssid->ies + _FIXED_IE_LENGTH_, WLAN_EID_HT_CAPABILITY, &len, bssid->ie_length - _FIXED_IE_LENGTH_);
if (p && len > 0) {
Reported by FlawFinder.
Line: 871
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ssid_len > NDIS_802_11_LENGTH_SSID)
ssid_len = 0;
}
memcpy(bssid->ssid.ssid, (p + 2), ssid_len);
bssid->ssid.ssid_length = ssid_len;
if (memcmp(bssid->ssid.ssid, cur_network->network.ssid.ssid, 32) ||
bssid->ssid.ssid_length != cur_network->network.ssid.ssid_length) {
if (bssid->ssid.ssid[0] != '\0' && bssid->ssid.ssid_length != 0) /* not hidden ssid */
Reported by FlawFinder.
Line: 1109
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Update RRSR and Rate for USERATE */
void update_tx_basic_rate(struct adapter *padapter, u8 wirelessmode)
{
unsigned char supported_rates[NDIS_802_11_LENGTH_RATES_EX];
memset(supported_rates, 0, NDIS_802_11_LENGTH_RATES_EX);
if ((wirelessmode & WIRELESS_11B) && (wirelessmode == WIRELESS_11B))
memcpy(supported_rates, rtw_basic_rate_cck, 4);
Reported by FlawFinder.
Line: 1114
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(supported_rates, 0, NDIS_802_11_LENGTH_RATES_EX);
if ((wirelessmode & WIRELESS_11B) && (wirelessmode == WIRELESS_11B))
memcpy(supported_rates, rtw_basic_rate_cck, 4);
else if (wirelessmode & WIRELESS_11B)
memcpy(supported_rates, rtw_basic_rate_mix, 7);
else
memcpy(supported_rates, rtw_basic_rate_ofdm, 3);
Reported by FlawFinder.
drivers/bluetooth/btusb.c
16 issues
Line: 1956
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_version *ver)
{
const struct firmware *fw;
char fwname[64];
int ret;
snprintf(fwname, sizeof(fwname),
"intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
ver->hw_platform, ver->hw_variant, ver->hw_revision,
Reported by FlawFinder.
Line: 2515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *boot_param)
{
const struct firmware *fw;
char fwname[64];
int err;
struct btusb_data *data = hci_get_drvdata(hdev);
ktime_t calltime;
if (!ver || !boot_param)
Reported by FlawFinder.
Line: 2622
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *boot_param)
{
const struct firmware *fw;
char fwname[64];
int err;
struct btusb_data *data = hci_get_drvdata(hdev);
ktime_t calltime;
if (!ver || !params)
Reported by FlawFinder.
Line: 2851
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_version ver;
struct intel_boot_params params;
u32 boot_param;
char ddcname[64];
int err;
struct intel_debug_features features;
BT_DBG("%s", hdev->name);
Reported by FlawFinder.
Line: 2951
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct btusb_data *data = hci_get_drvdata(hdev);
u32 boot_param;
char ddcname[64];
int err;
struct intel_debug_features features;
struct intel_version_tlv version;
bt_dev_dbg(hdev, "");
Reported by FlawFinder.
Line: 3347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->op = wmt_params->op;
hdr->dlen = cpu_to_le16(wmt_params->dlen + 1);
hdr->flag = wmt_params->flag;
memcpy(wc->data, wmt_params->data, wmt_params->dlen);
set_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
err = __hci_cmd_send(hdev, 0xfc6f, hlen, wc);
Reported by FlawFinder.
Line: 3470
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retry = 20;
while (retry > 0) {
cmd[0] = 0; /* 0 means legacy dl mode. */
memcpy(cmd + 1,
fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
MTK_FW_ROM_PATCH_GD_SIZE + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i +
MTK_SEC_MAP_COMMON_SIZE,
MTK_SEC_MAP_NEED_SEND_SIZE + 1);
Reported by FlawFinder.
Line: 3699
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fwname;
int err, status;
u32 dev_id;
char fw_bin_name[64];
u32 fw_version = 0;
u8 param;
calltime = ktime_get();
Reported by FlawFinder.
Line: 3916
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = 0xfe;
buf[1] = sizeof(bdaddr_t);
memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
ret = PTR_ERR(skb);
bt_dev_err(hdev, "changing Marvell device address failed (%ld)",
Reported by FlawFinder.
Line: 3941
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[1] = 0x01;
buf[2] = 0x00;
buf[3] = sizeof(bdaddr_t);
memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
ret = PTR_ERR(skb);
bt_dev_err(hdev, "Change address command failed (%ld)", ret);
Reported by FlawFinder.
drivers/hwtracing/coresight/coresight-core.c
16 issues
Line: 163
Column: 45
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline u32 coresight_read_claim_tags(struct coresight_device *csdev)
{
return csdev_access_relaxed_read32(&csdev->access, CORESIGHT_CLAIMCLR);
}
static inline bool coresight_is_claimed_self_hosted(struct coresight_device *csdev)
{
return coresight_read_claim_tags(csdev) == CORESIGHT_CLAIM_SELF_HOSTED;
Reported by FlawFinder.
Line: 178
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline void coresight_set_claim_tags(struct coresight_device *csdev)
{
csdev_access_relaxed_write32(&csdev->access, CORESIGHT_CLAIM_SELF_HOSTED,
CORESIGHT_CLAIMSET);
isb();
}
static inline void coresight_clear_claim_tags(struct coresight_device *csdev)
Reported by FlawFinder.
Line: 185
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline void coresight_clear_claim_tags(struct coresight_device *csdev)
{
csdev_access_relaxed_write32(&csdev->access, CORESIGHT_CLAIM_SELF_HOSTED,
CORESIGHT_CLAIMCLR);
isb();
}
/*
Reported by FlawFinder.
Line: 224
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (WARN_ON(!csdev))
return -EINVAL;
CS_UNLOCK(csdev->access.base);
rc = coresight_claim_device_unlocked(csdev);
CS_LOCK(csdev->access.base);
return rc;
}
Reported by FlawFinder.
Line: 226
Column: 17
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
CS_UNLOCK(csdev->access.base);
rc = coresight_claim_device_unlocked(csdev);
CS_LOCK(csdev->access.base);
return rc;
}
EXPORT_SYMBOL_GPL(coresight_claim_device);
Reported by FlawFinder.
Line: 259
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (WARN_ON(!csdev))
return;
CS_UNLOCK(csdev->access.base);
coresight_disclaim_device_unlocked(csdev);
CS_LOCK(csdev->access.base);
}
EXPORT_SYMBOL_GPL(coresight_disclaim_device);
Reported by FlawFinder.
Line: 261
Column: 17
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
CS_UNLOCK(csdev->access.base);
coresight_disclaim_device_unlocked(csdev);
CS_LOCK(csdev->access.base);
}
EXPORT_SYMBOL_GPL(coresight_disclaim_device);
/* enable or disable an associated CTI device of the supplied CS device */
static int
Reported by FlawFinder.
Line: 1502
Column: 45
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u32 coresight_relaxed_read32(struct coresight_device *csdev, u32 offset)
{
return csdev_access_relaxed_read32(&csdev->access, offset);
}
u32 coresight_read32(struct coresight_device *csdev, u32 offset)
{
return csdev_access_read32(&csdev->access, offset);
Reported by FlawFinder.
Line: 1507
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
u32 coresight_read32(struct coresight_device *csdev, u32 offset)
{
return csdev_access_read32(&csdev->access, offset);
}
void coresight_relaxed_write32(struct coresight_device *csdev,
u32 val, u32 offset)
{
Reported by FlawFinder.
Line: 1513
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void coresight_relaxed_write32(struct coresight_device *csdev,
u32 val, u32 offset)
{
csdev_access_relaxed_write32(&csdev->access, val, offset);
}
void coresight_write32(struct coresight_device *csdev, u32 val, u32 offset)
{
csdev_access_write32(&csdev->access, val, offset);
Reported by FlawFinder.
arch/powerpc/platforms/powermac/low_i2c.c
16 issues
Line: 1382
CWE codes:
788
return -EINVAL;
for (i = 0, match = 1; match && i < len; i ++)
if ((inst->buffer[i] & maskdata[i]) != valuedata[i])
match = 0;
*args->u[0].p = match;
return 0;
}
Reported by Cppcheck.
Line: 92
Column: 8
CWE codes:
362
struct lock_class_key lock_key;
/* ops */
int (*open)(struct pmac_i2c_bus *bus);
void (*close)(struct pmac_i2c_bus *bus);
int (*xfer)(struct pmac_i2c_bus *bus, u8 addrdir, int subsize,
u32 subaddr, u8 *data, int len);
};
Reported by FlawFinder.
Line: 722
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->done = pmu_i2c_complete;
req->arg = ∁
if (!read && len) {
memcpy(hdr->data, data, len);
req->nbytes += len;
}
rc = pmu_queue_request(req);
if (rc)
return rc;
Reported by FlawFinder.
Line: 768
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
if (len)
memcpy(data, &req->reply[1], len);
return 0;
}
}
return -EIO;
}
Reported by FlawFinder.
Line: 866
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
cmd->info.sublen = subsize;
/* that's big-endian only but heh ! */
memcpy(&cmd->info.subaddr, ((char *)&subaddr) + (4 - subsize),
subsize);
if (bus->mode == pmac_i2c_mode_stdsub)
cmd->info.type = SMU_I2C_TRANSFER_STDSUB;
else
cmd->info.type = SMU_I2C_TRANSFER_COMBINED;
Reported by FlawFinder.
Line: 877
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
if (!read && len)
memcpy(cmd->info.data, data, len);
init_completion(&comp);
cmd->done = smu_i2c_complete;
cmd->misc = ∁
rc = smu_queue_i2c(cmd);
Reported by FlawFinder.
Line: 889
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = cmd->status;
if (read && len)
memcpy(data, cmd->info.data, len);
return rc < 0 ? rc : 0;
}
static void __init smu_i2c_probe(void)
{
Reported by FlawFinder.
Line: 1096
Column: 11
CWE codes:
362
bus->polled = polled || pmac_i2c_force_poll;
bus->opened = 1;
bus->mode = pmac_i2c_mode_std;
if (bus->open && (rc = bus->open(bus)) != 0) {
bus->opened = 0;
mutex_unlock(&bus->mutex);
return rc;
}
return 0;
Reported by FlawFinder.
Line: 1096
Column: 30
CWE codes:
362
bus->polled = polled || pmac_i2c_force_poll;
bus->opened = 1;
bus->mode = pmac_i2c_mode_std;
if (bus->open && (rc = bus->open(bus)) != 0) {
bus->opened = 0;
mutex_unlock(&bus->mutex);
return rc;
}
return 0;
Reported by FlawFinder.
Line: 721
Column: 8
CWE codes:
120
20
req->nbytes = sizeof(struct pmu_i2c_hdr) + 1;
req->done = pmu_i2c_complete;
req->arg = ∁
if (!read && len) {
memcpy(hdr->data, data, len);
req->nbytes += len;
}
rc = pmu_queue_request(req);
if (rc)
Reported by FlawFinder.
drivers/net/hippi/rrunner.h
16 issues
Line: 629
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 Firmware;
u32 BoardRevision;
u32 RoadrunnerRev;
char OpticsPart[8];
u32 OpticsRev;
u32 pad1;
char SramPart[8];
u32 SramRev;
u32 pad2;
Reported by FlawFinder.
Line: 632
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char OpticsPart[8];
u32 OpticsRev;
u32 pad1;
char SramPart[8];
u32 SramRev;
u32 pad2;
char EepromPart[8];
u32 EepromRev;
u32 EepromSize;
Reported by FlawFinder.
Line: 635
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char SramPart[8];
u32 SramRev;
u32 pad2;
char EepromPart[8];
u32 EepromRev;
u32 EepromSize;
char PalPart[8];
u32 PalRev;
u32 pad3;
Reported by FlawFinder.
Line: 638
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char EepromPart[8];
u32 EepromRev;
u32 EepromSize;
char PalPart[8];
u32 PalRev;
u32 pad3;
char PalCodeFile[12];
u32 PalCodeRev;
char BoardULA[8];
Reported by FlawFinder.
Line: 641
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char PalPart[8];
u32 PalRev;
u32 pad3;
char PalCodeFile[12];
u32 PalCodeRev;
char BoardULA[8];
char SerialNo[8];
char MfgDate[8];
char MfgTime[8];
Reported by FlawFinder.
Line: 643
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 pad3;
char PalCodeFile[12];
u32 PalCodeRev;
char BoardULA[8];
char SerialNo[8];
char MfgDate[8];
char MfgTime[8];
char ModifyDate[8];
u32 ModCount;
Reported by FlawFinder.
Line: 644
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char PalCodeFile[12];
u32 PalCodeRev;
char BoardULA[8];
char SerialNo[8];
char MfgDate[8];
char MfgTime[8];
char ModifyDate[8];
u32 ModCount;
u32 pad4[13];
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 PalCodeRev;
char BoardULA[8];
char SerialNo[8];
char MfgDate[8];
char MfgTime[8];
char ModifyDate[8];
u32 ModCount;
u32 pad4[13];
};
Reported by FlawFinder.
Line: 646
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char BoardULA[8];
char SerialNo[8];
char MfgDate[8];
char MfgTime[8];
char ModifyDate[8];
u32 ModCount;
u32 pad4[13];
};
Reported by FlawFinder.
Line: 647
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char SerialNo[8];
char MfgDate[8];
char MfgTime[8];
char ModifyDate[8];
u32 ModCount;
u32 pad4[13];
};
Reported by FlawFinder.
fs/udf/inode.c
16 issues
Line: 662
CWE codes:
908
extent.extLocation.partitionReferenceNum = 0;
extent.extLength = EXT_NOT_RECORDED_NOT_ALLOCATED;
} else {
epos.offset -= adsize;
etype = udf_next_aext(inode, &epos, &extent.extLocation,
&extent.extLength, 0);
extent.extLength |= etype << 30;
}
Reported by Cppcheck.
Line: 1764
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
eid = (struct regid *)dsea->impUse;
memset(eid, 0, sizeof(*eid));
strcpy(eid->ident, UDF_ID_DEVELOPER);
eid->identSuffix[0] = UDF_OS_CLASS_UNIX;
eid->identSuffix[1] = UDF_OS_ID_LINUX;
dsea->majorDeviceIdent = cpu_to_le32(imajor(inode));
dsea->minorDeviceIdent = cpu_to_le32(iminor(inode));
}
Reported by FlawFinder.
Line: 1788
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
udf_time_to_disk_stamp(&fe->modificationTime, inode->i_mtime);
udf_time_to_disk_stamp(&fe->attrTime, inode->i_ctime);
memset(&(fe->impIdent), 0, sizeof(struct regid));
strcpy(fe->impIdent.ident, UDF_ID_DEVELOPER);
fe->impIdent.identSuffix[0] = UDF_OS_CLASS_UNIX;
fe->impIdent.identSuffix[1] = UDF_OS_ID_LINUX;
fe->uniqueID = cpu_to_le64(iinfo->i_unique);
fe->lengthExtendedAttr = cpu_to_le32(iinfo->i_lenEAttr);
fe->lengthAllocDescs = cpu_to_le32(iinfo->i_lenAlloc);
Reported by FlawFinder.
Line: 1825
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
udf_time_to_disk_stamp(&efe->attrTime, inode->i_ctime);
memset(&(efe->impIdent), 0, sizeof(efe->impIdent));
strcpy(efe->impIdent.ident, UDF_ID_DEVELOPER);
efe->impIdent.identSuffix[0] = UDF_OS_CLASS_UNIX;
efe->impIdent.identSuffix[1] = UDF_OS_ID_LINUX;
efe->uniqueID = cpu_to_le64(iinfo->i_unique);
efe->lengthExtendedAttr = cpu_to_le32(iinfo->i_lenEAttr);
efe->lengthAllocDescs = cpu_to_le32(iinfo->i_lenAlloc);
Reported by FlawFinder.
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(iinfo->cached_extent.lstart != -1)) {
/* Cache hit */
*lbcount = iinfo->cached_extent.lstart;
memcpy(pos, &iinfo->cached_extent.epos,
sizeof(struct extent_position));
if (pos->bh)
get_bh(pos->bh);
ret = 1;
}
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__udf_clear_extent_cache(inode);
if (pos->bh)
get_bh(pos->bh);
memcpy(&iinfo->cached_extent.epos, pos, sizeof(*pos));
iinfo->cached_extent.lstart = estart;
switch (iinfo->i_alloc_type) {
case ICBTAG_FLAG_AD_SHORT:
iinfo->cached_extent.epos.offset -= sizeof(struct short_ad);
break;
Reported by FlawFinder.
Line: 292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kaddr = kmap_atomic(page);
memset(kaddr + iinfo->i_lenAlloc, 0x00,
PAGE_SIZE - iinfo->i_lenAlloc);
memcpy(kaddr, iinfo->i_data + iinfo->i_lenEAttr,
iinfo->i_lenAlloc);
flush_dcache_page(page);
SetPageUptodate(page);
kunmap_atomic(kaddr);
}
Reported by FlawFinder.
Line: 315
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lock_page(page);
down_write(&iinfo->i_data_sem);
kaddr = kmap_atomic(page);
memcpy(iinfo->i_data + iinfo->i_lenEAttr, kaddr, inode->i_size);
kunmap_atomic(kaddr);
unlock_page(page);
iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
inode->i_data.a_ops = &udf_adinicb_aops;
up_write(&iinfo->i_data_sem);
Reported by FlawFinder.
Line: 1374
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ie->indirectICB.extLength) {
brelse(ibh);
memcpy(&iinfo->i_location, &loc,
sizeof(struct kernel_lb_addr));
if (++indirections > UDF_MAX_ICB_NESTING) {
udf_err(inode->i_sb,
"too many ICBs in ICB hierarchy"
" (max %d supported)\n",
Reported by FlawFinder.
Line: 1419
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct extendedFileEntry));
if (ret)
goto out;
memcpy(iinfo->i_data,
bh->b_data + sizeof(struct extendedFileEntry),
bs - sizeof(struct extendedFileEntry));
} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
iinfo->i_efe = 0;
iinfo->i_use = 0;
Reported by FlawFinder.
drivers/media/common/videobuf2/videobuf2-core.c
16 issues
Line: 2369
Column: 55
CWE codes:
120
20
}
EXPORT_SYMBOL_GPL(vb2_core_queue_init);
static int __vb2_init_fileio(struct vb2_queue *q, int read);
static int __vb2_cleanup_fileio(struct vb2_queue *q);
void vb2_core_queue_release(struct vb2_queue *q)
{
__vb2_cleanup_fileio(q);
__vb2_queue_cancel(q);
Reported by FlawFinder.
Line: 2530
Column: 55
CWE codes:
120
20
* @q: videobuf2 queue
* @read: mode selector (1 means read, 0 means write)
*/
static int __vb2_init_fileio(struct vb2_queue *q, int read)
{
struct vb2_fileio_data *fileio;
int i, ret;
unsigned int count = 0;
Reported by FlawFinder.
Line: 2539
Column: 15
CWE codes:
120
20
/*
* Sanity check
*/
if (WARN_ON((read && !(q->io_modes & VB2_READ)) ||
(!read && !(q->io_modes & VB2_WRITE))))
return -EINVAL;
/*
* Check if device supports mapping buffers to kernel virtual space.
Reported by FlawFinder.
Line: 2540
Column: 9
CWE codes:
120
20
* Sanity check
*/
if (WARN_ON((read && !(q->io_modes & VB2_READ)) ||
(!read && !(q->io_modes & VB2_WRITE))))
return -EINVAL;
/*
* Check if device supports mapping buffers to kernel virtual space.
*/
Reported by FlawFinder.
Line: 2561
Column: 4
CWE codes:
120
20
count = 1;
dprintk(q, 3, "setting up file io: mode %s, count %d, read_once %d, write_immediately %d\n",
(read) ? "read" : "write", count, q->fileio_read_once,
q->fileio_write_immediately);
fileio = kzalloc(sizeof(*fileio), GFP_KERNEL);
if (fileio == NULL)
return -ENOMEM;
Reported by FlawFinder.
Line: 2607
Column: 6
CWE codes:
120
20
/*
* Read mode requires pre queuing of all buffers.
*/
if (read) {
/*
* Queue all buffers.
*/
for (i = 0; i < q->num_buffers; i++) {
ret = vb2_core_qbuf(q, i, NULL, NULL);
Reported by FlawFinder.
Line: 2673
Column: 35
CWE codes:
120
20
* @read: access mode selector (1 means read, 0 means write)
*/
static size_t __vb2_perform_fileio(struct vb2_queue *q, char __user *data, size_t count,
loff_t *ppos, int nonblock, int read)
{
struct vb2_fileio_data *fileio;
struct vb2_fileio_buf *buf;
bool is_multiplanar = q->is_multiplanar;
/*
Reported by FlawFinder.
Line: 2683
Column: 25
CWE codes:
120
20
* should copy timestamps if V4L2_BUF_FLAG_TIMESTAMP_COPY is set. Nobody
* else is able to provide this information with the write() operation.
*/
bool copy_timestamp = !read && q->copy_timestamp;
unsigned index;
int ret;
dprintk(q, 3, "mode %s, offset %ld, count %zd, %sblocking\n",
read ? "read" : "write", (long)*ppos, count,
Reported by FlawFinder.
Line: 2688
Column: 3
CWE codes:
120
20
int ret;
dprintk(q, 3, "mode %s, offset %ld, count %zd, %sblocking\n",
read ? "read" : "write", (long)*ppos, count,
nonblock ? "non" : "");
if (!data)
return -EINVAL;
Reported by FlawFinder.
Line: 2696
Column: 4
CWE codes:
120
20
if (q->waiting_in_dqbuf) {
dprintk(q, 3, "another dup()ped fd is %s\n",
read ? "reading" : "writing");
return -EBUSY;
}
/*
* Initialize emulator on first call.
Reported by FlawFinder.
drivers/hwmon/w83791d.c
16 issues
Line: 360
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
to_sensor_dev_attr(attr); \
struct w83791d_data *data = w83791d_update_device(dev); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", IN_FROM_REG(data->reg[nr])); \
}
show_in_reg(in);
show_in_reg(in_min);
show_in_reg(in_max);
Reported by FlawFinder.
Line: 439
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct w83791d_data *data = w83791d_update_device(dev);
int bitnr = sensor_attr->index;
return sprintf(buf, "%d\n", (data->beep_mask >> bitnr) & 1);
}
static ssize_t store_beep(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 485
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct w83791d_data *data = w83791d_update_device(dev);
int bitnr = sensor_attr->index;
return sprintf(buf, "%d\n", (data->alarms >> bitnr) & 1);
}
/*
* Note: The bitmask for the beep enable/disable is different than
* the bitmask for the alarm.
Reported by FlawFinder.
Line: 526
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
to_sensor_dev_attr(attr); \
struct w83791d_data *data = w83791d_update_device(dev); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", \
FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
show_fan_reg(fan_min);
Reported by FlawFinder.
Line: 561
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct w83791d_data *data = w83791d_update_device(dev);
return sprintf(buf, "%u\n", DIV_FROM_REG(data->fan_div[nr]));
}
/*
* Note: we save and restore the fan minimum here, because its value is
* determined in part by the fan divisor. This follows the principle of
Reported by FlawFinder.
Line: 717
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct w83791d_data *data = w83791d_update_device(dev);
return sprintf(buf, "%u\n", data->pwm[nr]);
}
static ssize_t store_pwm(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 758
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
int nr = sensor_attr->index;
struct w83791d_data *data = w83791d_update_device(dev);
return sprintf(buf, "%u\n", data->pwm_enable[nr] + 1);
}
static ssize_t store_pwmenable(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 824
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
struct w83791d_data *data = w83791d_update_device(dev);
int nr = sensor_attr->index;
return sprintf(buf, "%d\n", TEMP1_FROM_REG(data->temp_target[nr]));
}
static ssize_t store_temp_target(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 865
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *sensor_attr = to_sensor_dev_attr(attr);
struct w83791d_data *data = w83791d_update_device(dev);
int nr = sensor_attr->index;
return sprintf(buf, "%d\n", TEMP1_FROM_REG(data->temp_tolerance[nr]));
}
static ssize_t store_temp_tolerance(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 927
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct w83791d_data *data = w83791d_update_device(dev);
return sprintf(buf, "%d\n", TEMP1_FROM_REG(data->temp1[attr->index]));
}
static ssize_t store_temp1(struct device *dev, struct device_attribute *devattr,
const char *buf, size_t count)
{
Reported by FlawFinder.
drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
16 issues
Line: 3193
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
snprintf(queue_name, sizeof(queue_name),
"%d", i);
for (j = 0; j < BNX2X_NUM_Q_STATS; j++)
snprintf(buf + (k + j)*ETH_GSTRING_LEN,
ETH_GSTRING_LEN,
bnx2x_q_stats_arr[j].string,
queue_name);
k += BNX2X_NUM_Q_STATS;
}
Reported by FlawFinder.
Line: 3204
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
for (i = 0, j = 0; i < BNX2X_NUM_STATS; i++) {
if (HIDE_PORT_STAT(bp) && IS_PORT_STAT(i))
continue;
strcpy(buf + (k + j)*ETH_GSTRING_LEN,
bnx2x_stats_arr[i].string);
j++;
}
break;
Reported by FlawFinder.
Line: 40
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const struct {
long offset;
int size;
char string[ETH_GSTRING_LEN];
} bnx2x_q_stats_arr[] = {
/* 1 */ { Q_STATS_OFFSET32(total_bytes_received_hi), 8, "[%s]: rx_bytes" },
{ Q_STATS_OFFSET32(total_unicast_packets_received_hi),
8, "[%s]: rx_ucast_packets" },
{ Q_STATS_OFFSET32(total_multicast_packets_received_hi),
Reported by FlawFinder.
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long offset;
int size;
bool is_port_stat;
char string[ETH_GSTRING_LEN];
} bnx2x_stats_arr[] = {
/* 1 */ { STATS_OFFSET32(total_bytes_received_hi),
8, false, "rx_bytes" },
{ STATS_OFFSET32(error_bytes_received_hi),
8, false, "rx_error_bytes" },
Reported by FlawFinder.
Line: 1003
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(BP_PATH(bp) ? DUMP_PATH_1 : DUMP_PATH_0);
}
memcpy(p, &dump_hdr, sizeof(struct dump_header));
p += dump_hdr.header_size + 1;
/* This isn't really an error, but since attention handling is going
* to print the GRC timeouts using this macro, we use the same.
*/
Reported by FlawFinder.
Line: 1094
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(BP_PATH(bp) ? DUMP_PATH_1 : DUMP_PATH_0);
}
memcpy(p, &dump_hdr, sizeof(struct dump_header));
p += dump_hdr.header_size + 1;
/* Actually read the registers */
__bnx2x_get_preset_regs(bp, p, dump_hdr.preset);
Reported by FlawFinder.
Line: 1111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ethtool_drvinfo *info)
{
struct bnx2x *bp = netdev_priv(dev);
char version[ETHTOOL_FWVERS_LEN];
int ext_dev_info_offset;
u32 mbi;
strlcpy(info->driver, DRV_MODULE_NAME, sizeof(info->driver));
Reported by FlawFinder.
Line: 1426
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd_flags = MCPR_NVM_COMMAND_FIRST;
while ((buf_size > sizeof(u32)) && (rc == 0)) {
rc = bnx2x_nvram_read_dword(bp, offset, &val, cmd_flags);
memcpy(ret_buf, &val, 4);
/* advance to the next dword */
offset += sizeof(u32);
ret_buf += sizeof(u32);
buf_size -= sizeof(u32);
Reported by FlawFinder.
Line: 1438
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc == 0) {
cmd_flags |= MCPR_NVM_COMMAND_LAST;
rc = bnx2x_nvram_read_dword(bp, offset, &val, cmd_flags);
memcpy(ret_buf, &val, 4);
}
/* disable access to nvram interface */
bnx2x_disable_nvram_access(bp);
bnx2x_release_nvram_lock(bp);
Reported by FlawFinder.
Line: 1755
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if ((offset % BNX2X_NVRAM_PAGE_SIZE) == 0)
cmd_flags |= MCPR_NVM_COMMAND_FIRST;
memcpy(&val, data_buf, 4);
/* Notice unlike bnx2x_nvram_read_dword() this will not
* change val using be32_to_cpu(), which causes data to flip
* if the eeprom is read and then written back. This is due
* to tools utilizing this functionality that would break
Reported by FlawFinder.
tools/perf/util/stat-display.c
16 issues
Line: 199
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (color)
n += color_fprintf(out, color, fmt, val);
else
n += fprintf(out, fmt, val);
fprintf(out, " %-*s", METRIC_LEN - n - 1, unit);
}
static void new_line_csv(struct perf_stat_config *config, void *ctx)
{
Reported by FlawFinder.
Line: 229
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
fprintf(out, "%s%s", config->csv_sep, config->csv_sep);
return;
}
snprintf(buf, sizeof(buf), fmt, val);
ends = vals = skip_spaces(buf);
while (isdigit(*ends) || *ends == '.')
ends++;
*ends = 0;
fprintf(out, "%s%s%s%s", config->csv_sep, vals, config->csv_sep, skip_spaces(unit));
Reported by FlawFinder.
Line: 295
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (!valid_only_metric(unit))
return;
unit = fixunit(tbuf, os->evsel, unit);
snprintf(buf, sizeof buf, fmt, val);
ends = vals = skip_spaces(buf);
while (isdigit(*ends) || *ends == '.')
ends++;
*ends = 0;
fprintf(out, "%s%s", vals, config->csv_sep);
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
aggr_printout(config, evsel, id, nr);
fprintf(output, fmt, avg, config->csv_sep);
if (evsel->unit)
fprintf(output, "%-*s%s",
config->csv_output ? 0 : config->unit_width,
evsel->unit, config->csv_sep);
Reported by FlawFinder.
Line: 1029
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
puts(CONSOLE_CLEAR);
if (!config->iostat_run)
sprintf(prefix, "%6lu.%09lu%s", (unsigned long) ts->tv_sec, ts->tv_nsec, config->csv_sep);
if ((num_print_interval == 0 && !config->csv_output) || config->interval_clear) {
switch (config->aggr_mode) {
case AGGR_NODE:
fprintf(output, "# time node cpus");
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[64], *vals, *ends;
if (unit == NULL || fmt == NULL) {
fprintf(out, "%s%s", config->csv_sep, config->csv_sep);
return;
}
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[1024], str[1024];
unsigned mlen = config->metric_only_len;
if (!valid_only_metric(unit))
return;
unit = fixunit(buf, os->evsel, unit);
Reported by FlawFinder.
Line: 289
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[64], *vals, *ends;
char tbuf[1024];
if (!valid_only_metric(unit))
return;
unit = fixunit(tbuf, os->evsel, unit);
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[64], *vals, *ends;
char tbuf[1024];
if (!valid_only_metric(unit))
return;
unit = fixunit(tbuf, os->evsel, unit);
snprintf(buf, sizeof buf, fmt, val);
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *unit, double val __maybe_unused)
{
struct outstate *os = ctx;
char tbuf[1024];
/* In case of iostat, print metric header for first root port only */
if (config->iostat_run &&
os->evsel->priv != os->evsel->evlist->selected->priv)
return;
Reported by FlawFinder.