The following issues were found
drivers/staging/media/av7110/av7110.c
2 issues
Line: 623
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = 2 * 1024;
iwdebi(av7110, DEBINOSWAP, TX_LEN, len, 2);
iwdebi(av7110, DEBINOSWAP, IRQ_STATE_EXT, len, 2);
memcpy(av7110->debi_virt, av7110->bmpbuf+av7110->bmpp, len);
av7110->bmpp += len;
av7110->bmplen -= len;
dprintk(8, "gpio DATA_BMP_LOAD DMA len %d\n", len);
start_debi_dma(av7110, DEBI_WRITE, DPRAM_BASE+txbuf, len);
spin_unlock(&av7110->debilock);
Reported by FlawFinder.
Line: 1529
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(av7110->bin_fw, fw->data, fw->size);
av7110->size_fw = fw->size;
if ((ret = check_firmware(av7110)))
vfree(av7110->bin_fw);
release_firmware(fw);
Reported by FlawFinder.
drivers/scsi/bnx2fc/bnx2fc_io.c
2 issues
Line: 1750
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int_to_scsilun(sc_cmd->device->lun, &fcp_cmnd->fc_lun);
fcp_cmnd->fc_dl = htonl(io_req->data_xfer_len);
memcpy(fcp_cmnd->fc_cdb, sc_cmd->cmnd, sc_cmd->cmd_len);
fcp_cmnd->fc_cmdref = 0;
fcp_cmnd->fc_pri_ta = 0;
fcp_cmnd->fc_tm_flags = io_req->mp_req.tm_flags;
fcp_cmnd->fc_flags = io_req->io_req_flags;
Reported by FlawFinder.
Line: 1829
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(sc_cmd->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
if (fcp_sns_len)
memcpy(sc_cmd->sense_buffer, rq_data, fcp_sns_len);
}
}
/**
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/pcie/internal.h
2 issues
Line: 410
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool fw_reset_done;
wait_queue_head_t fw_reset_waitq;
char rf_name[32];
};
static inline struct iwl_trans_pcie *
IWL_TRANS_GET_PCIE_TRANS(struct iwl_trans *trans)
{
Reported by FlawFinder.
drivers/net/wireless/intersil/orinoco/mic.c
2 issues
Line: 60
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy header into buffer. We need the padding on the end zeroed */
memcpy(&hdr[0], da, ETH_ALEN);
memcpy(&hdr[ETH_ALEN], sa, ETH_ALEN);
hdr[ETH_ALEN * 2] = priority;
hdr[ETH_ALEN * 2 + 1] = 0;
hdr[ETH_ALEN * 2 + 2] = 0;
hdr[ETH_ALEN * 2 + 3] = 0;
Reported by FlawFinder.
Line: 61
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy header into buffer. We need the padding on the end zeroed */
memcpy(&hdr[0], da, ETH_ALEN);
memcpy(&hdr[ETH_ALEN], sa, ETH_ALEN);
hdr[ETH_ALEN * 2] = priority;
hdr[ETH_ALEN * 2 + 1] = 0;
hdr[ETH_ALEN * 2 + 2] = 0;
hdr[ETH_ALEN * 2 + 3] = 0;
Reported by FlawFinder.
drivers/net/wireless/intersil/prism54/isl_oid.h
2 issues
Line: 18
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct obj_ssid {
u8 length;
char octets[33];
} __packed;
struct obj_key {
u8 type; /* dot11_priv_t */
u8 length;
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct obj_key {
u8 type; /* dot11_priv_t */
u8 length;
char key[32];
} __packed;
struct obj_mlme {
u8 address[6];
u16 id;
Reported by FlawFinder.
drivers/net/wireless/intersil/prism54/islpci_mgt.c
2 issues
Line: 189
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += PIMFOR_HEADER_SIZE;
if (data)
memcpy(p, data, length);
else
memset(p, 0, length);
#if VERBOSE > SHOW_ERROR_MESSAGES
{
Reported by FlawFinder.
Line: 350
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
continue;
frame->ndev = ndev;
memcpy(&frame->buf, header, size);
frame->header = (pimfor_header_t *) frame->buf;
frame->data = frame->buf + PIMFOR_HEADER_SIZE;
#if VERBOSE > SHOW_ERROR_MESSAGES
DEBUG(SHOW_PIMFOR_FRAMES,
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas/debugfs.c
2 issues
Line: 834
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
else if (d[i].size == 8)
val = *((u64 *) d[i].addr);
pos += sprintf(p + pos, "%s=%d\n", d[i].name, val);
}
res = simple_read_from_buffer(userbuf, count, ppos, p, pos);
free_page(addr);
Reported by FlawFinder.
Line: 782
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct debug_data {
char name[32];
u32 size;
size_t addr;
};
/* To debug any member of struct lbs_private, simply add one line here.
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas_tf/deb_defs.h
2 issues
Line: 96
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (len &&
(lbtf_debug & LBTF_DEB_HEX) &&
(lbtf_debug & grp)) {
snprintf(newprompt, sizeof(newprompt), DRV_NAME " %s: ", prompt);
print_hex_dump_bytes(prompt, DUMP_PREFIX_NONE, buf, len);
}
}
#else
#define lbtf_deb_hex(grp, prompt, buf, len) do {} while (0)
Reported by FlawFinder.
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef DEBUG
static inline void lbtf_deb_hex(unsigned int grp, const char *prompt, u8 *buf, int len)
{
char newprompt[32];
if (len &&
(lbtf_debug & LBTF_DEB_HEX) &&
(lbtf_debug & grp)) {
snprintf(newprompt, sizeof(newprompt), DRV_NAME " %s: ", prompt);
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/11ac.c
2 issues
Line: 194
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vht_cap->header.type = cpu_to_le16(WLAN_EID_VHT_CAPABILITY);
vht_cap->header.len =
cpu_to_le16(sizeof(struct ieee80211_vht_cap));
memcpy((u8 *)vht_cap + sizeof(struct mwifiex_ie_types_header),
(u8 *)bss_desc->bcn_vht_cap,
le16_to_cpu(vht_cap->header.len));
mwifiex_fill_vht_cap_tlv(priv, &vht_cap->vht_cap,
bss_desc->bss_band);
Reported by FlawFinder.
Line: 213
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_le16(WLAN_EID_VHT_OPERATION);
vht_op->header.len = cpu_to_le16(sizeof(*vht_op) -
sizeof(struct mwifiex_ie_types_header));
memcpy((u8 *)vht_op +
sizeof(struct mwifiex_ie_types_header),
(u8 *)bss_desc->bcn_vht_oper,
le16_to_cpu(vht_op->header.len));
/* negotiate the channel width and central freq
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/11n_aggr.c
2 issues
Line: 69
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy DA and SA */
dt_offset = 2 * ETH_ALEN;
memcpy(&tx_header->eth803_hdr, skb_src->data, dt_offset);
/* Copy SNAP header */
snap.snap_type = ((struct ethhdr *)skb_src->data)->h_proto;
dt_offset += sizeof(__be16);
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dt_offset += sizeof(__be16);
memcpy(&tx_header->rfc1042_hdr, &snap, sizeof(struct rfc_1042_hdr));
skb_pull(skb_src, dt_offset);
/* Update Length field */
tx_header->eth803_hdr.h_proto = htons(skb_src->len + LLC_SNAP_LEN);
Reported by FlawFinder.