Line: 75 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	event->type = type;
	event->length = length;
	if (event->length)
		memcpy(&event->data[0], data, length);
	queue->events[queue->size] = event;
	queue->size++;
	up(&queue->sema);
	spin_unlock_irqrestore(&queue->lock, flags);
	return 0;

            

Line: 273 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	void __iomem				*ep_regs;
	void __iomem				*dma_regs;
	void __iomem				*fifo;
	char					name[8];
	struct usb_ep				ep;
	struct usba_udc				*udc;

	struct list_head			queue;


            

Line: 153 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	 * TODO: Rework the JPEG encoder to eliminate the need
	 * for a bounce buffer.
	 */
	memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0) +
	       ctx->vpu_dst_fmt->header_size,
	       ctx->jpeg_enc.bounce_buffer.cpu, bytesused);
	vb2_set_plane_payload(&dst_buf->vb2_buf, 0,
			      ctx->vpu_dst_fmt->header_size + bytesused);
}

            

Line: 1642 Column: 9 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf

              	struct usb_udc		*udc = container_of(dev, struct usb_udc, dev);
	struct usb_gadget	*gadget = udc->gadget;

	return sprintf(buf, "%s\n", usb_state_string(gadget->state));
}
static DEVICE_ATTR_RO(state);

static ssize_t function_show(struct device *dev, struct device_attribute *attr,
			     char *buf)

            

Line: 404 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	cgc.timeout = IOCTL_TIMEOUT;
	result = sr_do_ioctl(cd, &cgc);

	memcpy(mcn->medium_catalog_number, buffer + 9, 13);
	mcn->medium_catalog_number[13] = 0;

	kfree(buffer);
	return result;
}

            

Line: 300 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	u8 setup_stage;
	u32 last_io;            /* timestamp */

	char name[14];

	unsigned double_buf:1;
	unsigned stopped:1;
	unsigned fnf:1;
	unsigned has_dma:1;

            

Line: 87 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
#if BITS_PER_LONG == 32
	char __user *data;		/* buffer <= 4096 for 0x80 commands */
	char pad[4];
#endif
#if BITS_PER_LONG == 64
	char __user *data;
#endif


            

Line: 815 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	do { \
		const struct usb_descriptor_header * const *__src; \
		for (__src = src; *__src; ++__src) { \
			memcpy(mem, *__src, (*__src)->bLength); \
			mem += (*__src)->bLength; \
		} \
	} while (0)

static int setup_packet(struct fusb300 *fusb300, struct usb_ctrlrequest *ctrl)

            

Line: 1543 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	struct resource *res, *ires;
	void __iomem *reg = NULL;
	struct m66592 *m66592 = NULL;
	char clk_name[8];
	int ret = 0;
	int i;

	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
	if (!res) {

            

Line: 294 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	struct list_head	req_list; /* list of ep request */
	struct mv_u3d_ep_context	*ep_context; /* ep context */
	u32			direction;
	char			name[14];
	u32			processing; /* there is ep request
						queued on haredware */
	spinlock_t		req_lock; /* ep lock */
	unsigned		wedge:1;
	unsigned		enabled:1;