The following issues were found
drivers/bluetooth/btusb.c
16 issues
Line: 1956
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_version *ver)
{
const struct firmware *fw;
char fwname[64];
int ret;
snprintf(fwname, sizeof(fwname),
"intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
ver->hw_platform, ver->hw_variant, ver->hw_revision,
Reported by FlawFinder.
Line: 2515
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *boot_param)
{
const struct firmware *fw;
char fwname[64];
int err;
struct btusb_data *data = hci_get_drvdata(hdev);
ktime_t calltime;
if (!ver || !boot_param)
Reported by FlawFinder.
Line: 2622
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 *boot_param)
{
const struct firmware *fw;
char fwname[64];
int err;
struct btusb_data *data = hci_get_drvdata(hdev);
ktime_t calltime;
if (!ver || !params)
Reported by FlawFinder.
Line: 2851
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct intel_version ver;
struct intel_boot_params params;
u32 boot_param;
char ddcname[64];
int err;
struct intel_debug_features features;
BT_DBG("%s", hdev->name);
Reported by FlawFinder.
Line: 2951
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct btusb_data *data = hci_get_drvdata(hdev);
u32 boot_param;
char ddcname[64];
int err;
struct intel_debug_features features;
struct intel_version_tlv version;
bt_dev_dbg(hdev, "");
Reported by FlawFinder.
Line: 3347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr->op = wmt_params->op;
hdr->dlen = cpu_to_le16(wmt_params->dlen + 1);
hdr->flag = wmt_params->flag;
memcpy(wc->data, wmt_params->data, wmt_params->dlen);
set_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
err = __hci_cmd_send(hdev, 0xfc6f, hlen, wc);
Reported by FlawFinder.
Line: 3470
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
retry = 20;
while (retry > 0) {
cmd[0] = 0; /* 0 means legacy dl mode. */
memcpy(cmd + 1,
fw_ptr + MTK_FW_ROM_PATCH_HEADER_SIZE +
MTK_FW_ROM_PATCH_GD_SIZE + MTK_FW_ROM_PATCH_SEC_MAP_SIZE * i +
MTK_SEC_MAP_COMMON_SIZE,
MTK_SEC_MAP_NEED_SEND_SIZE + 1);
Reported by FlawFinder.
Line: 3699
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *fwname;
int err, status;
u32 dev_id;
char fw_bin_name[64];
u32 fw_version = 0;
u8 param;
calltime = ktime_get();
Reported by FlawFinder.
Line: 3916
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = 0xfe;
buf[1] = sizeof(bdaddr_t);
memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
ret = PTR_ERR(skb);
bt_dev_err(hdev, "changing Marvell device address failed (%ld)",
Reported by FlawFinder.
Line: 3941
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[1] = 0x01;
buf[2] = 0x00;
buf[3] = sizeof(bdaddr_t);
memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
if (IS_ERR(skb)) {
ret = PTR_ERR(skb);
bt_dev_err(hdev, "Change address command failed (%ld)", ret);
Reported by FlawFinder.
tools/perf/util/stat-display.c
16 issues
Line: 199
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (color)
n += color_fprintf(out, color, fmt, val);
else
n += fprintf(out, fmt, val);
fprintf(out, " %-*s", METRIC_LEN - n - 1, unit);
}
static void new_line_csv(struct perf_stat_config *config, void *ctx)
{
Reported by FlawFinder.
Line: 229
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
fprintf(out, "%s%s", config->csv_sep, config->csv_sep);
return;
}
snprintf(buf, sizeof(buf), fmt, val);
ends = vals = skip_spaces(buf);
while (isdigit(*ends) || *ends == '.')
ends++;
*ends = 0;
fprintf(out, "%s%s%s%s", config->csv_sep, vals, config->csv_sep, skip_spaces(unit));
Reported by FlawFinder.
Line: 295
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (!valid_only_metric(unit))
return;
unit = fixunit(tbuf, os->evsel, unit);
snprintf(buf, sizeof buf, fmt, val);
ends = vals = skip_spaces(buf);
while (isdigit(*ends) || *ends == '.')
ends++;
*ends = 0;
fprintf(out, "%s%s", vals, config->csv_sep);
Reported by FlawFinder.
Line: 372
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
aggr_printout(config, evsel, id, nr);
fprintf(output, fmt, avg, config->csv_sep);
if (evsel->unit)
fprintf(output, "%-*s%s",
config->csv_output ? 0 : config->unit_width,
evsel->unit, config->csv_sep);
Reported by FlawFinder.
Line: 1029
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
puts(CONSOLE_CLEAR);
if (!config->iostat_run)
sprintf(prefix, "%6lu.%09lu%s", (unsigned long) ts->tv_sec, ts->tv_nsec, config->csv_sep);
if ((num_print_interval == 0 && !config->csv_output) || config->interval_clear) {
switch (config->aggr_mode) {
case AGGR_NODE:
fprintf(output, "# time node cpus");
Reported by FlawFinder.
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[64], *vals, *ends;
if (unit == NULL || fmt == NULL) {
fprintf(out, "%s%s", config->csv_sep, config->csv_sep);
return;
}
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[1024], str[1024];
unsigned mlen = config->metric_only_len;
if (!valid_only_metric(unit))
return;
unit = fixunit(buf, os->evsel, unit);
Reported by FlawFinder.
Line: 289
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[64], *vals, *ends;
char tbuf[1024];
if (!valid_only_metric(unit))
return;
unit = fixunit(tbuf, os->evsel, unit);
Reported by FlawFinder.
Line: 290
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct outstate *os = ctx;
FILE *out = os->fh;
char buf[64], *vals, *ends;
char tbuf[1024];
if (!valid_only_metric(unit))
return;
unit = fixunit(tbuf, os->evsel, unit);
snprintf(buf, sizeof buf, fmt, val);
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *unit, double val __maybe_unused)
{
struct outstate *os = ctx;
char tbuf[1024];
/* In case of iostat, print metric header for first root port only */
if (config->iostat_run &&
os->evsel->priv != os->evsel->evlist->selected->priv)
return;
Reported by FlawFinder.
tools/perf/util/map.c
15 issues
Line: 47
Column: 12
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (libname)
lib_length = strlen(libname);
app_abi = getenv("APP_ABI");
if (!app_abi)
return false;
app_abi_length = strlen(app_abi);
Reported by FlawFinder.
Line: 61
Column: 14
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
new_length = 7 + app_abi_length + lib_length;
apk_path = getenv("APK_PATH");
if (apk_path) {
new_length += strlen(apk_path) + 1;
if (new_length > PATH_MAX)
return false;
snprintf(newfilename, new_length,
Reported by FlawFinder.
Line: 82
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
const char *arch;
int ndk_length, app_length;
ndk = getenv("NDK_ROOT");
app = getenv("APP_PLATFORM");
if (!(ndk && app))
return false;
Reported by FlawFinder.
Line: 83
Column: 9
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
int ndk_length, app_length;
ndk = getenv("NDK_ROOT");
app = getenv("APP_PLATFORM");
if (!(ndk && app))
return false;
ndk_length = strlen(ndk);
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nsinfo *nnsi;
if (map != NULL) {
char newfilename[PATH_MAX];
struct dso *dso;
int anon, no_dso, vdso, android;
android = is_android_lib(filename);
anon = is_anon_memory(filename) || flags & MAP_HUGETLB;
Reported by FlawFinder.
Line: 335
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nr = dso__load(map->dso, map);
if (nr < 0) {
if (map->dso->has_build_id) {
char sbuild_id[SBUILD_ID_SIZE];
build_id__sprintf(&map->dso->bid, sbuild_id);
pr_debug("%s with build id %s not found", name, sbuild_id);
} else
pr_debug("Failed to open %s", name);
Reported by FlawFinder.
Line: 409
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t map__fprintf_dsoname(struct map *map, FILE *fp)
{
char buf[symbol_conf.pad_output_len_dso + 1];
const char *dsoname = "[unknown]";
if (map && map->dso) {
if (symbol_conf.show_kernel_path && map->dso->long_name)
dsoname = map->dso->long_name;
Reported by FlawFinder.
Line: 45
Column: 16
CWE codes:
126
libname = strrchr(filename, '/');
if (libname)
lib_length = strlen(libname);
app_abi = getenv("APP_ABI");
if (!app_abi)
return false;
Reported by FlawFinder.
Line: 51
Column: 19
CWE codes:
126
if (!app_abi)
return false;
app_abi_length = strlen(app_abi);
if (strstarts(filename, "/data/app-lib/")) {
char *apk_path;
if (!app_abi_length)
Reported by FlawFinder.
Line: 63
Column: 18
CWE codes:
126
apk_path = getenv("APK_PATH");
if (apk_path) {
new_length += strlen(apk_path) + 1;
if (new_length > PATH_MAX)
return false;
snprintf(newfilename, new_length,
"%s/libs/%s/%s", apk_path, app_abi, libname);
} else {
Reported by FlawFinder.
drivers/scsi/zorro_esp.c
15 issues
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct blz1230_dma_registers {
unsigned char dma_addr; /* DMA address [0x0000] */
unsigned char dmapad2[0x7fff];
unsigned char dma_latch; /* DMA latch [0x8000] */
};
/* Blizzard 1230II DMA interface */
Reported by FlawFinder.
Line: 69
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct blz1230II_dma_registers {
unsigned char dma_addr; /* DMA address [0x0000] */
unsigned char dmapad2[0xf];
unsigned char dma_latch; /* DMA latch [0x0010] */
};
/* Blizzard 2060 DMA interface */
Reported by FlawFinder.
Line: 77
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct blz2060_dma_registers {
unsigned char dma_led_ctrl; /* DMA led control [0x000] */
unsigned char dmapad1[0x0f];
unsigned char dma_addr0; /* DMA address (MSB) [0x010] */
unsigned char dmapad2[0x03];
unsigned char dma_addr1; /* DMA address [0x014] */
unsigned char dmapad3[0x03];
unsigned char dma_addr2; /* DMA address [0x018] */
Reported by FlawFinder.
Line: 79
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dma_led_ctrl; /* DMA led control [0x000] */
unsigned char dmapad1[0x0f];
unsigned char dma_addr0; /* DMA address (MSB) [0x010] */
unsigned char dmapad2[0x03];
unsigned char dma_addr1; /* DMA address [0x014] */
unsigned char dmapad3[0x03];
unsigned char dma_addr2; /* DMA address [0x018] */
unsigned char dmapad4[0x03];
unsigned char dma_addr3; /* DMA address (LSB) [0x01c] */
Reported by FlawFinder.
Line: 81
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dma_addr0; /* DMA address (MSB) [0x010] */
unsigned char dmapad2[0x03];
unsigned char dma_addr1; /* DMA address [0x014] */
unsigned char dmapad3[0x03];
unsigned char dma_addr2; /* DMA address [0x018] */
unsigned char dmapad4[0x03];
unsigned char dma_addr3; /* DMA address (LSB) [0x01c] */
};
Reported by FlawFinder.
Line: 83
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dma_addr1; /* DMA address [0x014] */
unsigned char dmapad3[0x03];
unsigned char dma_addr2; /* DMA address [0x018] */
unsigned char dmapad4[0x03];
unsigned char dma_addr3; /* DMA address (LSB) [0x01c] */
};
/* DMA control bits */
#define DMA_WRITE 0x80000000
Reported by FlawFinder.
Line: 94
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cyber_dma_registers {
unsigned char dma_addr0; /* DMA address (MSB) [0x000] */
unsigned char dmapad1[1];
unsigned char dma_addr1; /* DMA address [0x002] */
unsigned char dmapad2[1];
unsigned char dma_addr2; /* DMA address [0x004] */
unsigned char dmapad3[1];
unsigned char dma_addr3; /* DMA address (LSB) [0x006] */
Reported by FlawFinder.
Line: 96
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dma_addr0; /* DMA address (MSB) [0x000] */
unsigned char dmapad1[1];
unsigned char dma_addr1; /* DMA address [0x002] */
unsigned char dmapad2[1];
unsigned char dma_addr2; /* DMA address [0x004] */
unsigned char dmapad3[1];
unsigned char dma_addr3; /* DMA address (LSB) [0x006] */
unsigned char dmapad4[0x3fb];
unsigned char cond_reg; /* DMA cond (ro) [0x402] */
Reported by FlawFinder.
Line: 98
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dma_addr1; /* DMA address [0x002] */
unsigned char dmapad2[1];
unsigned char dma_addr2; /* DMA address [0x004] */
unsigned char dmapad3[1];
unsigned char dma_addr3; /* DMA address (LSB) [0x006] */
unsigned char dmapad4[0x3fb];
unsigned char cond_reg; /* DMA cond (ro) [0x402] */
#define ctrl_reg cond_reg /* DMA control (wo) [0x402] */
};
Reported by FlawFinder.
Line: 100
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char dma_addr2; /* DMA address [0x004] */
unsigned char dmapad3[1];
unsigned char dma_addr3; /* DMA address (LSB) [0x006] */
unsigned char dmapad4[0x3fb];
unsigned char cond_reg; /* DMA cond (ro) [0x402] */
#define ctrl_reg cond_reg /* DMA control (wo) [0x402] */
};
/* DMA control bits */
Reported by FlawFinder.
crypto/asymmetric_keys/public_key.c
15 issues
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (strcmp(encoding, "raw") == 0 ||
strcmp(encoding, "x962") == 0) {
strcpy(alg_name, pkey->pkey_algo);
return 0;
}
return -ENOPKG;
}
Reported by FlawFinder.
Line: 66
Column: 43
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Determine the crypto algorithm name.
*/
static
int software_key_determine_akcipher(const char *encoding,
const char *hash_algo,
const struct public_key *pkey,
char alg_name[CRYPTO_MAX_ALG_NAME])
{
int n;
Reported by FlawFinder.
Line: 67
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static
int software_key_determine_akcipher(const char *encoding,
const char *hash_algo,
const struct public_key *pkey,
char alg_name[CRYPTO_MAX_ALG_NAME])
{
int n;
Reported by FlawFinder.
Line: 69
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int software_key_determine_akcipher(const char *encoding,
const char *hash_algo,
const struct public_key *pkey,
char alg_name[CRYPTO_MAX_ALG_NAME])
{
int n;
if (strcmp(encoding, "pkcs1") == 0) {
/* The data wangled by the RSA algorithm is typically padded
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static u8 *pkey_pack_u32(u8 *dst, u32 val)
{
memcpy(dst, &val, sizeof(val));
return dst + sizeof(val);
}
/*
* Query information about a key.
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct crypto_akcipher *tfm;
struct public_key *pkey = params->key->payload.data[asym_crypto];
char alg_name[CRYPTO_MAX_ALG_NAME];
u8 *key, *ptr;
int ret, len;
ret = software_key_determine_akcipher(params->encoding,
params->hash_algo,
Reported by FlawFinder.
Line: 131
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GFP_KERNEL);
if (!key)
goto error_free_tfm;
memcpy(key, pkey->key, pkey->keylen);
ptr = key + pkey->keylen;
ptr = pkey_pack_u32(ptr, pkey->algo);
ptr = pkey_pack_u32(ptr, pkey->paramlen);
memcpy(ptr, pkey->params, pkey->paramlen);
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = key + pkey->keylen;
ptr = pkey_pack_u32(ptr, pkey->algo);
ptr = pkey_pack_u32(ptr, pkey->paramlen);
memcpy(ptr, pkey->params, pkey->paramlen);
if (pkey->key_is_private)
ret = crypto_akcipher_set_priv_key(tfm, key, pkey->keylen);
else
ret = crypto_akcipher_set_pub_key(tfm, key, pkey->keylen);
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct crypto_akcipher *tfm;
struct crypto_wait cwait;
struct scatterlist in_sg, out_sg;
char alg_name[CRYPTO_MAX_ALG_NAME];
char *key, *ptr;
int ret;
pr_devel("==>%s()\n", __func__);
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!key)
goto error_free_req;
memcpy(key, pkey->key, pkey->keylen);
ptr = key + pkey->keylen;
ptr = pkey_pack_u32(ptr, pkey->algo);
ptr = pkey_pack_u32(ptr, pkey->paramlen);
memcpy(ptr, pkey->params, pkey->paramlen);
Reported by FlawFinder.
net/ipv6/ah6.c
15 issues
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
iph_ext = ah_tmp_ext(iph_base);
icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
icv = ah_tmp_icv(ahp->ahash, iph_ext, extlen);
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
#else
Reported by FlawFinder.
Line: 312
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
#else
memcpy(&top_iph->daddr, iph_ext, extlen);
#endif
}
Reported by FlawFinder.
Line: 314
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
#else
memcpy(&top_iph->daddr, iph_ext, extlen);
#endif
}
kfree(AH_SKB_CB(skb)->tmp);
xfrm_output_resume(skb->sk, skb, err);
Reported by FlawFinder.
Line: 385
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* When there are no extension headers, we only need to save the first
* 8 bytes of the base IP header.
*/
memcpy(iph_base, top_iph, IPV6HDR_BASELEN);
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(iph_ext, &top_iph->saddr, extlen);
#else
Reported by FlawFinder.
Line: 389
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(iph_ext, &top_iph->saddr, extlen);
#else
memcpy(iph_ext, &top_iph->daddr, extlen);
#endif
err = ipv6_clear_mutable_options(top_iph,
extlen - sizeof(*iph_ext) +
Reported by FlawFinder.
Line: 391
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(iph_ext, &top_iph->saddr, extlen);
#else
memcpy(iph_ext, &top_iph->daddr, extlen);
#endif
err = ipv6_clear_mutable_options(top_iph,
extlen - sizeof(*iph_ext) +
sizeof(*top_iph),
XFRM_POLICY_OUT);
Reported by FlawFinder.
Line: 440
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_free;
}
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
Reported by FlawFinder.
Line: 441
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(ah->auth_data, icv, ahp->icv_trunc_len);
memcpy(top_iph, iph_base, IPV6HDR_BASELEN);
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
#else
Reported by FlawFinder.
Line: 445
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (extlen) {
#if IS_ENABLED(CONFIG_IPV6_MIP6)
memcpy(&top_iph->saddr, iph_ext, extlen);
#else
memcpy(&top_iph->daddr, iph_ext, extlen);
#endif
}
Reported by FlawFinder.
block/sed-opal.c
15 issues
Line: 640
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
start = add_bytestring_header(err, cmd, len);
if (!start)
return;
memcpy(start, bytestring, len);
cmd->pos += len;
}
static int build_locking_range(u8 *buffer, size_t length, u8 lr)
{
Reported by FlawFinder.
Line: 651
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
}
memcpy(buffer, opaluid[OPAL_LOCKINGRANGE_GLOBAL], OPAL_UID_LENGTH);
if (lr == 0)
return 0;
buffer[5] = LOCKING_RANGE_NON_GLOBAL;
Reported by FlawFinder.
Line: 669
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ERANGE;
}
memcpy(buffer, opaluid[OPAL_USER1_UID], OPAL_UID_LENGTH);
buffer[7] = lr + 1;
return 0;
}
Reported by FlawFinder.
Line: 1156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* so we have to get the first half of the OPAL_TABLE_TABLE and use the
* first part of the target table as relative index into that table
*/
memcpy(uid, opaluid[OPAL_TABLE_TABLE], half);
memcpy(uid + half, table_uid, half);
return generic_get_column(dev, uid, column);
}
Reported by FlawFinder.
Line: 1157
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* first part of the target table as relative index into that table
*/
memcpy(uid, opaluid[OPAL_TABLE_TABLE], half);
memcpy(uid + half, table_uid, half);
return generic_get_column(dev, uid, column);
}
static int gen_key(struct opal_dev *dev, void *data)
Reported by FlawFinder.
Line: 1512
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
err = build_locking_user(lk_ul_user, sizeof(lk_ul_user),
session->who - 1);
else
memcpy(lk_ul_user, opaluid[OPAL_ADMIN1_UID], OPAL_UID_LENGTH);
if (err)
return err;
err = cmd_start(dev, opaluid[OPAL_SMUID_UID],
Reported by FlawFinder.
Line: 1561
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 uid[OPAL_UID_LENGTH];
int err;
memcpy(uid, opaluid[OPAL_USER1_UID], OPAL_UID_LENGTH);
uid[7] = session->who;
err = cmd_start(dev, uid, opalmethod[OPAL_SET]);
add_token_u8(&err, dev, OPAL_STARTNAME);
add_token_u8(&err, dev, OPAL_VALUES);
Reported by FlawFinder.
Line: 1687
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 cpin_uid[OPAL_UID_LENGTH];
struct opal_session_info *usr = data;
memcpy(cpin_uid, opaluid[OPAL_C_PIN_ADMIN1], OPAL_UID_LENGTH);
if (usr->who != OPAL_ADMIN1) {
cpin_uid[5] = 0x03;
if (usr->sum)
cpin_uid[7] = usr->opal_key.lr + 1;
Reported by FlawFinder.
Line: 1711
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 cpin_uid[OPAL_UID_LENGTH];
struct opal_key *key = data;
memcpy(cpin_uid, opaluid[OPAL_C_PIN_SID], OPAL_UID_LENGTH);
if (generic_pw_cmd(key->key, key->key_len, cpin_uid, dev)) {
pr_debug("Error building Set SID cpin\n");
return -ERANGE;
}
Reported by FlawFinder.
Line: 1727
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct opal_lock_unlock *lkul = data;
int err;
memcpy(lr_buffer, opaluid[OPAL_LOCKINGRANGE_ACE_RDLOCKED],
OPAL_UID_LENGTH);
if (lkul->l_state == OPAL_RW)
memcpy(lr_buffer, opaluid[OPAL_LOCKINGRANGE_ACE_WRLOCKED],
OPAL_UID_LENGTH);
Reported by FlawFinder.
fs/ocfs2/dlm/dlmdomain.c
15 issues
Line: 1060
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qr->qr_node = dlm->node_num;
qr->qr_namelen = strlen(dlm->name);
memcpy(qr->qr_domain, dlm->name, qr->qr_namelen);
/* if local hb, the numregions will be zero */
if (o2hb_global_heartbeat_active())
qr->qr_numregions = o2hb_get_all_regions(qr->qr_regions,
O2NM_MAX_REGIONS);
Reported by FlawFinder.
Line: 1246
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qn->qn_nodenum = dlm->node_num;
qn->qn_numnodes = count;
qn->qn_namelen = strlen(dlm->name);
memcpy(qn->qn_domain, dlm->name, qn->qn_namelen);
i = -1;
while ((i = find_next_bit(node_map, O2NM_MAX_NODES,
i + 1)) < O2NM_MAX_NODES) {
if (i == dlm->node_num)
Reported by FlawFinder.
Line: 1359
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&cancel_msg, 0, sizeof(cancel_msg));
cancel_msg.node_idx = dlm->node_num;
cancel_msg.name_len = strlen(dlm->name);
memcpy(cancel_msg.domain, dlm->name, cancel_msg.name_len);
status = o2net_send_message(DLM_CANCEL_JOIN_MSG, DLM_MOD_KEY,
&cancel_msg, sizeof(cancel_msg), node,
NULL);
if (status < 0) {
Reported by FlawFinder.
Line: 1426
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&join_msg, 0, sizeof(join_msg));
join_msg.node_idx = dlm->node_num;
join_msg.name_len = strlen(dlm->name);
memcpy(join_msg.domain, dlm->name, join_msg.name_len);
join_msg.dlm_proto = dlm->dlm_locking_proto;
join_msg.fs_proto = dlm->fs_locking_proto;
/* copy live node map to join message */
byte_copymap(join_msg.node_map, dlm->live_nodes_map, O2NM_MAX_NODES);
Reported by FlawFinder.
Line: 1511
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&assert_msg, 0, sizeof(assert_msg));
assert_msg.node_idx = dlm->node_num;
assert_msg.name_len = strlen(dlm->name);
memcpy(assert_msg.domain, dlm->name, assert_msg.name_len);
status = o2net_send_message(DLM_ASSERT_JOINED_MSG, DLM_MOD_KEY,
&assert_msg, sizeof(assert_msg), node,
&ret);
if (status < 0)
Reported by FlawFinder.
Line: 1646
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* yes_resp_map. Copy that into our domain map and send a join
* assert message to clean up everyone elses state. */
spin_lock(&dlm->spinlock);
memcpy(dlm->domain_map, ctxt->yes_resp_map,
sizeof(ctxt->yes_resp_map));
set_bit(dlm->node_num, dlm->domain_map);
spin_unlock(&dlm->spinlock);
/* Support for global heartbeat and node info was added in 1.1 */
Reported by FlawFinder.
Line: 1857
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int status;
unsigned int backoff;
unsigned int total_backoff = 0;
char wq_name[O2NM_MAX_NAME_LEN];
BUG_ON(!dlm);
mlog(0, "Join domain %s\n", dlm->name);
Reported by FlawFinder.
Line: 253
Column: 7
CWE codes:
126
/* tmp->name here is always NULL terminated,
* but domain may not be! */
list_for_each_entry(tmp, &dlm_domains, list) {
if (strlen(tmp->name) == len &&
memcmp(tmp->name, domain, len)==0)
return tmp;
}
return NULL;
Reported by FlawFinder.
Line: 266
Column: 42
CWE codes:
126
{
assert_spin_locked(&dlm_domain_lock);
return __dlm_lookup_domain_full(domain, strlen(domain));
}
/* returns true on one of two conditions:
* 1) the domain does not exist
Reported by FlawFinder.
Line: 1059
Column: 19
CWE codes:
126
}
qr->qr_node = dlm->node_num;
qr->qr_namelen = strlen(dlm->name);
memcpy(qr->qr_domain, dlm->name, qr->qr_namelen);
/* if local hb, the numregions will be zero */
if (o2hb_global_heartbeat_active())
qr->qr_numregions = o2hb_get_all_regions(qr->qr_regions,
O2NM_MAX_REGIONS);
Reported by FlawFinder.
drivers/scsi/scsi_transport_fc.c
15 issues
Line: 222
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
\
for (i = 0; i < ARRAY_SIZE(table); i++) { \
if (table[i].value & table_key) { \
len += sprintf(buf + len, "%s%s", \
prefix, table[i].name); \
prefix = ", "; \
} \
} \
len += sprintf(buf + len, "\n"); \
Reported by FlawFinder.
Line: 1001
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
(rport->port_state == FC_PORTSTATE_DELETED) || \
(rport->port_state == FC_PORTSTATE_NOTPRESENT))) \
i->f->get_rport_##field(rport); \
return snprintf(buf, sz, format_string, cast rport->field); \
}
#define fc_rport_store_function(field) \
static ssize_t \
store_fc_rport_##field(struct device *dev, \
Reported by FlawFinder.
Line: 1050
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct device_attribute *attr, char *buf) \
{ \
struct fc_rport *rport = transport_class_to_rport(dev); \
return snprintf(buf, sz, format_string, cast rport->field); \
}
#define fc_private_rport_rd_attr(field, format_string, sz) \
fc_private_rport_show_function(field, format_string, sz, ) \
static FC_DEVICE_ATTR(rport, field, S_IRUGO, \
Reported by FlawFinder.
Line: 1429
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
fc_starget_##field(starget) = rport->field; \
else if (i->f->get_starget_##field) \
i->f->get_starget_##field(starget); \
return snprintf(buf, sz, format_string, \
cast fc_starget_##field(starget)); \
}
#define fc_starget_rd_attr(field, format_string, sz) \
fc_starget_show_function(field, format_string, sz, ) \
Reported by FlawFinder.
Line: 1482
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
if ((i->f->get_vport_##field) && \
!(vport->flags & (FC_VPORT_DEL | FC_VPORT_CREATING))) \
i->f->get_vport_##field(vport); \
return snprintf(buf, sz, format_string, cast vport->field); \
}
#define fc_vport_store_function(field) \
static ssize_t \
store_fc_vport_##field(struct device *dev, \
Reported by FlawFinder.
Line: 1549
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct device_attribute *attr, char *buf) \
{ \
struct fc_vport *vport = transport_class_to_vport(dev); \
return snprintf(buf, sz, format_string, cast vport->field); \
}
#define fc_private_vport_store_u32_function(field) \
static ssize_t \
store_fc_vport_##field(struct device *dev, \
Reported by FlawFinder.
Line: 1749
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct fc_internal *i = to_fc_internal(shost->transportt); \
if (i->f->get_host_##field) \
i->f->get_host_##field(shost); \
return snprintf(buf, sz, format_string, cast fc_host_##field(shost)); \
}
#define fc_host_store_function(field) \
static ssize_t \
store_fc_host_##field(struct device *dev, \
Reported by FlawFinder.
Line: 1856
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
struct device_attribute *attr, char *buf) \
{ \
struct Scsi_Host *shost = transport_class_to_shost(dev); \
return snprintf(buf, sz, format_string, cast fc_host_##field(shost)); \
}
#define fc_private_host_rd_attr(field, format_string, sz) \
fc_private_host_show_function(field, format_string, sz, ) \
static FC_DEVICE_ATTR(host, field, S_IRUGO, \
Reported by FlawFinder.
Line: 277
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int i, len=0;
for (i = 0; i < FC_FC4_LIST_SIZE; i++, fc4_list++)
len += sprintf(buf + len , "0x%02x ", *fc4_list);
len += sprintf(buf + len, "\n");
return len;
}
Reported by FlawFinder.
Line: 581
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
event->event_num = event_number;
event->event_code = event_code;
if (data_len)
memcpy(&event->event_data, data_buf, data_len);
nlmsg_multicast(scsi_nl_sock, skb, 0, SCSI_NL_GRP_FC_EVENTS,
GFP_KERNEL);
return;
Reported by FlawFinder.
drivers/media/usb/go7007/go7007-fw.c
15 issues
Line: 329
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[p++] = 418 >> 8;
buf[p++] = 418 & 0xff;
buf[p++] = 0x00;
memcpy(buf + p, bits_dc_luminance + 1, 16);
p += 16;
memcpy(buf + p, val_dc_luminance, sizeof(val_dc_luminance));
p += sizeof(val_dc_luminance);
buf[p++] = 0x01;
memcpy(buf + p, bits_dc_chrominance + 1, 16);
Reported by FlawFinder.
Line: 331
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[p++] = 0x00;
memcpy(buf + p, bits_dc_luminance + 1, 16);
p += 16;
memcpy(buf + p, val_dc_luminance, sizeof(val_dc_luminance));
p += sizeof(val_dc_luminance);
buf[p++] = 0x01;
memcpy(buf + p, bits_dc_chrominance + 1, 16);
p += 16;
memcpy(buf + p, val_dc_chrominance, sizeof(val_dc_chrominance));
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + p, val_dc_luminance, sizeof(val_dc_luminance));
p += sizeof(val_dc_luminance);
buf[p++] = 0x01;
memcpy(buf + p, bits_dc_chrominance + 1, 16);
p += 16;
memcpy(buf + p, val_dc_chrominance, sizeof(val_dc_chrominance));
p += sizeof(val_dc_chrominance);
buf[p++] = 0x10;
memcpy(buf + p, bits_ac_luminance + 1, 16);
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[p++] = 0x01;
memcpy(buf + p, bits_dc_chrominance + 1, 16);
p += 16;
memcpy(buf + p, val_dc_chrominance, sizeof(val_dc_chrominance));
p += sizeof(val_dc_chrominance);
buf[p++] = 0x10;
memcpy(buf + p, bits_ac_luminance + 1, 16);
p += 16;
memcpy(buf + p, val_ac_luminance, sizeof(val_ac_luminance));
Reported by FlawFinder.
Line: 339
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + p, val_dc_chrominance, sizeof(val_dc_chrominance));
p += sizeof(val_dc_chrominance);
buf[p++] = 0x10;
memcpy(buf + p, bits_ac_luminance + 1, 16);
p += 16;
memcpy(buf + p, val_ac_luminance, sizeof(val_ac_luminance));
p += sizeof(val_ac_luminance);
buf[p++] = 0x11;
memcpy(buf + p, bits_ac_chrominance + 1, 16);
Reported by FlawFinder.
Line: 341
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[p++] = 0x10;
memcpy(buf + p, bits_ac_luminance + 1, 16);
p += 16;
memcpy(buf + p, val_ac_luminance, sizeof(val_ac_luminance));
p += sizeof(val_ac_luminance);
buf[p++] = 0x11;
memcpy(buf + p, bits_ac_chrominance + 1, 16);
p += 16;
memcpy(buf + p, val_ac_chrominance, sizeof(val_ac_chrominance));
Reported by FlawFinder.
Line: 344
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf + p, val_ac_luminance, sizeof(val_ac_luminance));
p += sizeof(val_ac_luminance);
buf[p++] = 0x11;
memcpy(buf + p, bits_ac_chrominance + 1, 16);
p += 16;
memcpy(buf + p, val_ac_chrominance, sizeof(val_ac_chrominance));
p += sizeof(val_ac_chrominance);
buf[p++] = 0xff;
buf[p++] = 0xda;
Reported by FlawFinder.
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[p++] = 0x11;
memcpy(buf + p, bits_ac_chrominance + 1, 16);
p += 16;
memcpy(buf + p, val_ac_chrominance, sizeof(val_ac_chrominance));
p += sizeof(val_ac_chrominance);
buf[p++] = 0xff;
buf[p++] = 0xda;
buf[p++] = 0;
buf[p++] = 12;
Reported by FlawFinder.
Line: 408
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mem += 28;
}
memcpy(&code[off + 2], buf + i, chunk * 2);
off += 32;
}
done:
kfree(buf);
return off;
Reported by FlawFinder.
Line: 700
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mem += 28;
}
memcpy(&code[off + 2], buf + i, chunk * 2);
off += 32;
}
done:
kfree(buf);
return off;
Reported by FlawFinder.