The following issues were found
drivers/net/can/softing/softing_main.c
9 issues
Line: 764
CWE codes:
908
dev_warn(&pdev->dev, "no platform data\n");
return -EINVAL;
}
if (pdat->nbus > ARRAY_SIZE(card->net)) {
dev_warn(&pdev->dev, "%u nets??\n", pdat->nbus);
return -EINVAL;
}
card = kzalloc(sizeof(*card), GFP_KERNEL);
Reported by Cppcheck.
Line: 700
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf) \
{ \
struct softing *card = dev_get_drvdata(dev); \
return sprintf(buf, "%s\n", card->member); \
} \
static DEVICE_ATTR(name, 0444, show_##name, NULL)
DEV_ATTR_RO(serial, id.serial);
DEV_ATTR_RO_STR(firmware, pdat->app.fw);
Reported by FlawFinder.
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += 1;
}
if (!(cf->can_id & CAN_RTR_FLAG))
memcpy(ptr, &cf->data[0], cf->len);
memcpy_toio(&card->dpram[DPRAM_TX + DPRAM_TX_SIZE * fifo_wr],
buf, DPRAM_TX_SIZE);
if (++fifo_wr >= DPRAM_TX_CNT)
fifo_wr = 0;
iowrite8(fifo_wr, &card->dpram[DPRAM_TX_WR]);
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb = alloc_can_skb(netdev, &cf);
if (!skb)
return -ENOMEM;
memcpy(cf, msg, sizeof(*msg));
skb->tstamp = ktime;
return netif_rx(skb);
}
/*
Reported by FlawFinder.
Line: 277
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += 4;
ktime = softing_raw2ktime(card, tmp_u32);
if (!(msg.can_id & CAN_RTR_FLAG))
memcpy(&msg.data[0], ptr, 8);
/* update socket */
if (cmd & CMD_ACK) {
/* acknowledge, was tx msg */
struct sk_buff *skb;
skb = priv->can.echo_skb[priv->tx.echo_get];
Reported by FlawFinder.
Line: 478
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ret, j;
static const uint8_t stream[] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, };
unsigned char back[sizeof(stream)];
if (mutex_lock_interruptible(&card->fw.lock))
return -ERESTARTSYS;
if (card->fw.up) {
mutex_unlock(&card->fw.lock);
Reported by FlawFinder.
Line: 559
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct net_device *ndev = to_net_dev(dev);
struct softing_priv *priv = netdev2softing(ndev);
return sprintf(buf, "%i\n", priv->chip);
}
static ssize_t show_output(struct device *dev, struct device_attribute *attr,
char *buf)
{
Reported by FlawFinder.
Line: 568
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct net_device *ndev = to_net_dev(dev);
struct softing_priv *priv = netdev2softing(ndev);
return sprintf(buf, "0x%02x\n", priv->output);
}
static ssize_t store_output(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 691
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf) \
{ \
struct softing *card = dev_get_drvdata(dev); \
return sprintf(buf, "%u\n", card->member); \
} \
static DEVICE_ATTR(name, 0444, show_##name, NULL)
#define DEV_ATTR_RO_STR(name, member) \
static ssize_t show_##name(struct device *dev, \
Reported by FlawFinder.
drivers/media/usb/dvb-usb/cxusb-analog.c
9 issues
Line: 157
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
to_copy = urb->iso_frame_desc[i].actual_length;
memcpy(auxbuf->buf + auxbuf->paylen, urb->transfer_buffer +
urb->iso_frame_desc[i].offset, to_copy);
auxbuf->paylen += to_copy;
}
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos + len > auxbuf->paylen)
return false;
memcpy(dest, auxbuf->buf + pos, len);
return true;
}
static bool cxusb_medion_cf_refc_fld_chg(struct dvb_usb_device *dvbdev,
Reported by FlawFinder.
Line: 183
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool firstfield,
unsigned int maxlines,
unsigned int maxlinesamples,
unsigned char buf[4])
{
bool firstfield_code = (buf[3] & CXUSB_BT656_FIELD_MASK) ==
CXUSB_BT656_FIELD_1;
unsigned int remlines;
Reported by FlawFinder.
Line: 231
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cxusb_medion_cf_refc_start_sch(struct dvb_usb_device *dvbdev,
struct cxusb_bt656_params *bt656,
bool firstfield,
unsigned char buf[4])
{
bool firstfield_code = (buf[3] & CXUSB_BT656_FIELD_MASK) ==
CXUSB_BT656_FIELD_1;
bool sav_code = (buf[3] & CXUSB_BT656_SEAV_MASK) ==
CXUSB_BT656_SEAV_SAV;
Reported by FlawFinder.
Line: 261
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cxusb_bt656_params *bt656,
bool firstfield,
unsigned int maxlinesamples,
unsigned char buf[4])
{
bool sav_code = (buf[3] & CXUSB_BT656_SEAV_MASK) ==
CXUSB_BT656_SEAV_SAV;
unsigned int remsamples;
Reported by FlawFinder.
Line: 289
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void cxusb_medion_cf_refc_vbi_smpl(struct dvb_usb_device *dvbdev,
struct cxusb_bt656_params *bt656,
unsigned char buf[4])
{
bool sav_code = (buf[3] & CXUSB_BT656_SEAV_MASK) ==
CXUSB_BT656_SEAV_SAV;
if (sav_code)
Reported by FlawFinder.
Line: 307
Column: 19
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool firstfield,
unsigned int maxlines,
unsigned int maxlinesamples,
unsigned char buf[4])
{
if (bt656->fmode == START_SEARCH) {
cxusb_medion_cf_refc_start_sch(dvbdev, bt656, firstfield, buf);
} else if (bt656->fmode == LINE_SAMPLES) {
cxusb_medion_cf_refc_line_smpl(dvbdev, bt656, firstfield,
Reported by FlawFinder.
Line: 328
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct cxusb_bt656_params *bt656,
unsigned int maxlinesamples)
{
unsigned char buf[64];
unsigned int idx;
unsigned int tocheck = clamp_t(size_t, maxlinesamples / 4, 3,
sizeof(buf));
if (!cxusb_auxbuf_copy(auxbuf, bt656->pos + 1, buf, tocheck))
Reported by FlawFinder.
Line: 398
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
break;
if (val == CXUSB_BT656_PREAMBLE[0]) {
unsigned char buf[4];
buf[0] = val;
if (!cxusb_auxbuf_copy(auxbuf, bt656->pos + 1,
buf + 1, 3))
break;
Reported by FlawFinder.
drivers/md/dm-delay.c
9 issues
Line: 127
Column: 10
CWE codes:
120
20
if (dc->kdelayd_wq)
destroy_workqueue(dc->kdelayd_wq);
if (dc->read.dev)
dm_put_device(ti, dc->read.dev);
if (dc->write.dev)
dm_put_device(ti, dc->write.dev);
if (dc->flush.dev)
dm_put_device(ti, dc->flush.dev);
Reported by FlawFinder.
Line: 128
Column: 25
CWE codes:
120
20
destroy_workqueue(dc->kdelayd_wq);
if (dc->read.dev)
dm_put_device(ti, dc->read.dev);
if (dc->write.dev)
dm_put_device(ti, dc->write.dev);
if (dc->flush.dev)
dm_put_device(ti, dc->flush.dev);
Reported by FlawFinder.
Line: 197
Column: 33
CWE codes:
120
20
atomic_set(&dc->may_delay, 1);
dc->argc = argc;
ret = delay_class_ctr(ti, &dc->read, argv);
if (ret)
goto bad;
if (argc == 3) {
ret = delay_class_ctr(ti, &dc->write, argv);
Reported by FlawFinder.
Line: 294
Column: 12
CWE codes:
120
20
else
c = &dc->write;
} else {
c = &dc->read;
}
delayed->class = c;
bio_set_dev(bio, c->dev->bdev);
if (bio_sectors(bio))
bio->bi_iter.bi_sector = c->start + dm_target_offset(ti, bio->bi_iter.bi_sector);
Reported by FlawFinder.
Line: 315
Column: 26
CWE codes:
120
20
switch (type) {
case STATUSTYPE_INFO:
DMEMIT("%u %u %u", dc->read.ops, dc->write.ops, dc->flush.ops);
break;
case STATUSTYPE_TABLE:
DMEMIT_DELAY_CLASS(&dc->read);
if (dc->argc >= 6) {
Reported by FlawFinder.
Line: 338
Column: 33
CWE codes:
120
20
struct delay_c *dc = ti->private;
int ret = 0;
ret = fn(ti, dc->read.dev, dc->read.start, ti->len, data);
if (ret)
goto out;
ret = fn(ti, dc->write.dev, dc->write.start, ti->len, data);
if (ret)
goto out;
Reported by FlawFinder.
Line: 338
Column: 19
CWE codes:
120
20
struct delay_c *dc = ti->private;
int ret = 0;
ret = fn(ti, dc->read.dev, dc->read.start, ti->len, data);
if (ret)
goto out;
ret = fn(ti, dc->write.dev, dc->write.start, ti->len, data);
if (ret)
goto out;
Reported by FlawFinder.
drivers/infiniband/ulp/ipoib/ipoib_main.c
9 issues
Line: 710
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ipoib_pseudo_header *phdr;
phdr = skb_push(skb, sizeof(*phdr));
memcpy(phdr->hwaddr, daddr, INFINIBAND_ALEN);
}
void ipoib_flush_paths(struct net_device *dev)
{
struct ipoib_dev_priv *priv = ipoib_priv(dev);
Reported by FlawFinder.
Line: 792
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"%s got PathRec for gid %pI6 while asked for %pI6\n",
dev->name, pathrec->dgid.raw,
path->pathrec.dgid.raw);
memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw,
sizeof(union ib_gid));
}
path->pathrec = *pathrec;
Reported by FlawFinder.
Line: 871
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
path->pathrec.rec_type = SA_PATH_REC_TYPE_IB;
memcpy(path->pathrec.dgid.raw, gid, sizeof(union ib_gid));
path->pathrec.sgid = priv->local_gid;
path->pathrec.pkey = cpu_to_be16(priv->pkey);
path->pathrec.numb_path = 1;
path->pathrec.traffic_class = priv->broadcast->mcmember.traffic_class;
}
Reported by FlawFinder.
Line: 1889
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->ca->name, priv->port, result);
return result;
}
memcpy(priv->dev->dev_addr + 4, priv->local_gid.raw,
sizeof(union ib_gid));
SET_NETDEV_DEV(priv->dev, priv->ca->dev.parent);
priv->dev->dev_port = priv->port - 1;
/* Let's set this one too for backwards compatibility. */
Reported by FlawFinder.
Line: 1911
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->local_gid, priv->dev->dev_addr + 4,
sizeof(priv->local_gid));
else {
memcpy(priv->dev->dev_addr, ppriv->dev->dev_addr,
INFINIBAND_ALEN);
memcpy(&priv->local_gid, &ppriv->local_gid,
sizeof(priv->local_gid));
}
}
Reported by FlawFinder.
Line: 2027
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
ivf->vf = vf;
memcpy(ivf->mac, dev->dev_addr, dev->addr_len);
return 0;
}
static int ipoib_set_vf_guid(struct net_device *dev, int vf, u64 guid, int type)
Reported by FlawFinder.
Line: 2125
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
NETIF_F_HIGHDMA);
netif_keep_dst(dev);
memcpy(dev->broadcast, ipv4_bcast_addr, INFINIBAND_ALEN);
/*
* unregister_netdev always frees the netdev, we use this mode
* consistently to unify all the various unregister paths, including
* those connected to rtnl_link_ops which require it.
Reported by FlawFinder.
Line: 2327
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
netif_addr_lock_bh(netdev);
memcpy(&priv->local_gid.global.interface_id,
&gid->global.interface_id,
sizeof(gid->global.interface_id));
memcpy(netdev->dev_addr + 4, &priv->local_gid, sizeof(priv->local_gid));
clear_bit(IPOIB_FLAG_DEV_ADDR_SET, &priv->flags);
Reported by FlawFinder.
Line: 2330
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&priv->local_gid.global.interface_id,
&gid->global.interface_id,
sizeof(gid->global.interface_id));
memcpy(netdev->dev_addr + 4, &priv->local_gid, sizeof(priv->local_gid));
clear_bit(IPOIB_FLAG_DEV_ADDR_SET, &priv->flags);
netif_addr_unlock_bh(netdev);
if (!test_bit(IPOIB_FLAG_SUBINTERFACE, &priv->flags)) {
Reported by FlawFinder.
drivers/hwmon/ibmaem.c
9 issues
Line: 506
CWE codes:
562
data->tx_message.data = (char *)&ff_req;
data->tx_message.data_len = sizeof(ff_req);
data->rx_msg_data = &ff_resp;
data->rx_msg_len = sizeof(ff_resp);
aem_send_message(data);
res = wait_for_completion_timeout(&data->read_complete, IPMI_TIMEOUT);
Reported by Cppcheck.
Line: 808
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct aem_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%s%d\n", DRVNAME, data->ver_major);
}
static SENSOR_DEVICE_ATTR_RO(name, name, 0);
/* AEM device version */
static ssize_t version_show(struct device *dev,
Reported by FlawFinder.
Line: 338
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data->rx_msg_len < rx_len)
rx_len = data->rx_msg_len;
data->rx_msg_len = rx_len;
memcpy(data->rx_msg_data, msg->msg.data + 1, data->rx_msg_len);
} else
data->rx_msg_len = 0;
ipmi_free_recv_msg(msg);
complete(&data->read_complete);
Reported by FlawFinder.
Line: 818
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct aem_data *data = dev_get_drvdata(dev);
return sprintf(buf, "%d.%d\n", data->ver_major, data->ver_minor);
}
static SENSOR_DEVICE_ATTR_RO(version, version, 0);
/* Display power use */
static ssize_t aem_show_power(struct device *dev,
Reported by FlawFinder.
Line: 852
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
delta = (after - before) * UJ_PER_MJ;
return sprintf(buf, "%llu\n",
(unsigned long long)div64_u64(delta * NSEC_PER_SEC, time));
}
/* Display energy use */
static ssize_t aem_show_energy(struct device *dev,
Reported by FlawFinder.
Line: 867
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
update_aem_energy_one(a, attr->index);
mutex_unlock(&a->lock);
return sprintf(buf, "%llu\n",
(unsigned long long)a->energy[attr->index] * 1000);
}
/* Display power interval registers */
static ssize_t aem_show_power_period(struct device *dev,
Reported by FlawFinder.
Line: 880
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct aem_data *a = dev_get_drvdata(dev);
a->update(a);
return sprintf(buf, "%lu\n", a->power_period[attr->index]);
}
/* Set power interval registers */
static ssize_t aem_set_power_period(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 973
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct aem_data *a = dev_get_drvdata(dev);
a->update(a);
return sprintf(buf, "%u\n", a->temp[attr->index] * 1000);
}
/* Display power-capping registers */
static ssize_t aem2_show_pcap_value(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 985
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct aem_data *a = dev_get_drvdata(dev);
a->update(a);
return sprintf(buf, "%u\n", a->pcap[attr->index] * 100000);
}
/* Remove sensors attached to an AEM device */
static void aem_remove_sensors(struct aem_data *data)
{
Reported by FlawFinder.
drivers/greybus/svc.c
9 issues
Line: 74
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gb_svc *svc = to_gb_svc(dev);
return sprintf(buf, "%s\n",
gb_svc_watchdog_enabled(svc) ? "enabled" : "disabled");
}
static ssize_t watchdog_store(struct device *dev,
struct device_attribute *attr, const char *buf,
Reported by FlawFinder.
Line: 29
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gb_svc *svc = to_gb_svc(dev);
return sprintf(buf, "0x%04x\n", svc->endo_id);
}
static DEVICE_ATTR_RO(endo_id);
static ssize_t ap_intf_id_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 38
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct gb_svc *svc = to_gb_svc(dev);
return sprintf(buf, "%u\n", svc->ap_intf_id);
}
static DEVICE_ATTR_RO(ap_intf_id);
// FIXME
// This is a hack, we need to do this "right" and clean the interface up
Reported by FlawFinder.
Line: 106
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct gb_svc *svc = to_gb_svc(dev);
if (svc->action == GB_SVC_WATCHDOG_BITE_PANIC_KERNEL)
return sprintf(buf, "panic\n");
else if (svc->action == GB_SVC_WATCHDOG_BITE_RESET_UNIPRO)
return sprintf(buf, "reset\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 108
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (svc->action == GB_SVC_WATCHDOG_BITE_PANIC_KERNEL)
return sprintf(buf, "panic\n");
else if (svc->action == GB_SVC_WATCHDOG_BITE_RESET_UNIPRO)
return sprintf(buf, "reset\n");
return -EINVAL;
}
static ssize_t watchdog_action_store(struct device *dev,
Reported by FlawFinder.
Line: 683
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gb_svc *svc = pwrmon_rails->svc;
int ret, desc;
u32 value;
char buff[16];
ret = gb_svc_pwrmon_sample_get(svc, pwrmon_rails->id,
GB_SVC_PWRMON_TYPE_VOL, &value);
if (ret) {
dev_err(&svc->dev,
Reported by FlawFinder.
Line: 707
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gb_svc *svc = pwrmon_rails->svc;
int ret, desc;
u32 value;
char buff[16];
ret = gb_svc_pwrmon_sample_get(svc, pwrmon_rails->id,
GB_SVC_PWRMON_TYPE_CURR, &value);
if (ret) {
dev_err(&svc->dev,
Reported by FlawFinder.
Line: 731
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gb_svc *svc = pwrmon_rails->svc;
int ret, desc;
u32 value;
char buff[16];
ret = gb_svc_pwrmon_sample_get(svc, pwrmon_rails->id,
GB_SVC_PWRMON_TYPE_PWR, &value);
if (ret) {
dev_err(&svc->dev, "failed to get power sample %u: %d\n",
Reported by FlawFinder.
Line: 794
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (i = 0; i < rail_count; i++) {
struct dentry *dir;
struct svc_debugfs_pwrmon_rail *rail = &svc->pwrmon_rails[i];
char fname[GB_SVC_PWRMON_RAIL_NAME_BUFSIZE];
snprintf(fname, sizeof(fname), "%s",
(char *)&rail_names->name[i]);
rail->id = i;
Reported by FlawFinder.
drivers/macintosh/windfarm_fcu_controls.c
9 issues
Line: 126
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned char *ptr, int nb)
{
int tries, nw;
unsigned char buf[16];
buf[0] = reg;
memcpy(buf+1, ptr, nb);
++nb;
tries = 0;
Reported by FlawFinder.
Line: 129
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char buf[16];
buf[0] = reg;
memcpy(buf+1, ptr, nb);
++nb;
tries = 0;
for (;;) {
nw = i2c_master_send(pv->i2c, buf, nb);
if (nw > 0 || (nw < 0 && nw != -EIO) || tries >= 100)
Reported by FlawFinder.
Line: 149
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wf_fcu_fan *fan = ct->priv;
struct wf_fcu_priv *pv = fan->fcu_priv;
int rc, shift = pv->rpm_shift;
unsigned char buf[2];
if (value < fan->min)
value = fan->min;
if (value > fan->max)
value = fan->max;
Reported by FlawFinder.
Line: 173
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int rc, reg_base, shift = pv->rpm_shift;
unsigned char failure;
unsigned char active;
unsigned char buf[2];
rc = wf_fcu_read_reg(pv, 0xb, &failure, 1);
if (rc != 1)
return -EIO;
if ((failure & (1 << fan->id)) != 0)
Reported by FlawFinder.
Line: 205
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct wf_fcu_fan *fan = ct->priv;
struct wf_fcu_priv *pv = fan->fcu_priv;
unsigned char buf[2];
int rc;
if (value < fan->min)
value = fan->min;
if (value > fan->max)
Reported by FlawFinder.
Line: 229
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wf_fcu_priv *pv = fan->fcu_priv;
unsigned char failure;
unsigned char active;
unsigned char buf[2];
int rc;
rc = wf_fcu_read_reg(pv, 0x2b, &failure, 1);
if (rc != 1)
return -EIO;
Reported by FlawFinder.
Line: 292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Try to fetch pumps min/max infos from eeprom */
if (mpu) {
memcpy(&tmp, mpu->processor_part_num, 8);
if (tmp[0] != 0xffff && tmp[1] != 0xffff) {
pump_min = max(pump_min, tmp[0]);
pump_max = min(pump_max, tmp[1]);
}
if (tmp[2] != 0xffff && tmp[3] != 0xffff) {
Reported by FlawFinder.
Line: 378
Column: 34
CWE codes:
126
* therm_pm72 which seems to work so ...
*/
if (type == FCU_FAN_RPM) {
if (!strncmp(name, "cpu-pump", strlen("cpu-pump")))
wf_fcu_get_pump_minmax(fan);
else
wf_fcu_get_rpmfan_minmax(fan);
fan->ctrl.type = WF_CONTROL_RPM_FAN;
fan->ctrl.ops = &wf_fcu_fan_rpm_ops;
Reported by FlawFinder.
Line: 460
Column: 9
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(loc_trans); i++) {
if (strncmp(loc, loc_trans[i].dt_name,
strlen(loc_trans[i].dt_name)))
continue;
name = loc_trans[i].ct_name;
DBG(" location match, name: %s\n", name);
Reported by FlawFinder.
drivers/input/input.c
9 issues
Line: 144
Column: 16
CWE codes:
362
count = input_to_handler(handle, vals, count);
} else {
list_for_each_entry_rcu(handle, &dev->h_list, d_node)
if (handle->open) {
count = input_to_handler(handle, vals, count);
if (!count)
break;
}
}
Reported by FlawFinder.
Line: 573
Column: 16
CWE codes:
362
synchronize_rcu();
list_for_each_entry(handle, &dev->h_list, d_node)
if (handle->open && handle->handler->start)
handle->handler->start(handle);
}
}
/**
Reported by FlawFinder.
Line: 628
Column: 11
CWE codes:
362
goto out;
}
if (dev->open) {
retval = dev->open(dev);
if (retval) {
dev->users--;
handle->open--;
/*
Reported by FlawFinder.
Line: 629
Column: 17
CWE codes:
362
}
if (dev->open) {
retval = dev->open(dev);
if (retval) {
dev->users--;
handle->open--;
/*
* Make sure we are not delivering any more events
Reported by FlawFinder.
Line: 690
Column: 17
CWE codes:
362
dev->close(dev);
}
if (!--handle->open) {
/*
* synchronize_rcu() makes sure that input_pass_event()
* completed and that no more input events are delivered
* through this handle
*/
Reported by FlawFinder.
Line: 834
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ke->keycode = input_fetch_keycode(dev, index);
ke->index = index;
ke->len = sizeof(index);
memcpy(ke->scancode, &index, sizeof(index));
return 0;
}
static int input_default_setkeycode(struct input_dev *dev,
Reported by FlawFinder.
Line: 1146
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
bool skip_empty = true;
char buf[18];
seq_printf(seq, "B: %s=", name);
for (i = BITS_TO_LONGS(max) - 1; i >= 0; i--) {
if (input_bits_to_string(buf, sizeof(buf),
Reported by FlawFinder.
Line: 1785
Column: 12
CWE codes:
362
goto out;
if (dev->users) {
if (dev->open) {
ret = dev->open(dev);
if (ret)
goto out;
}
if (dev->poller)
Reported by FlawFinder.
Line: 1786
Column: 15
CWE codes:
362
if (dev->users) {
if (dev->open) {
ret = dev->open(dev);
if (ret)
goto out;
}
if (dev->poller)
input_dev_poller_start(dev->poller);
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/mad.c
9 issues
Line: 371
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
smp->attr_id = IB_SMP_ATTR_NOTICE;
/* o14-1: smp->mkey = 0; */
memcpy(smp->route.lid.data, &trap->data, trap->len);
spin_lock_irqsave(&ibp->rvp.lock, flags);
if (!ibp->rvp.sm_ah) {
if (ibp->rvp.sm_lid != be16_to_cpu(IB_LID_PERMISSIVE)) {
struct ib_ah *ah;
Reported by FlawFinder.
Line: 506
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hop_cnt = ARRAY_SIZE(trap->data.ntc_256.dr_rtn_path);
}
trap->data.ntc_256.dr_trunc_hop |= hop_cnt;
memcpy(trap->data.ntc_256.dr_rtn_path, return_path,
hop_cnt);
}
trap->len = sizeof(trap->data);
Reported by FlawFinder.
Line: 1016
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct hfi1_pportdata *ppd = dd->pport + port - 1;
memcpy(pkeys, ppd->pkeys, sizeof(ppd->pkeys));
return 0;
}
static int __subn_get_opa_pkeytable(struct opa_smp *smp, u32 am, u8 *data,
Reported by FlawFinder.
Line: 3422
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* PortRcvErrorInfo */
rsp->port_rcv_ei.status_and_code =
dd->err_info_rcvport.status_and_code;
memcpy(&rsp->port_rcv_ei.ei.ei1to12.packet_flit1,
&dd->err_info_rcvport.packet_flit1, sizeof(u64));
memcpy(&rsp->port_rcv_ei.ei.ei1to12.packet_flit2,
&dd->err_info_rcvport.packet_flit2, sizeof(u64));
/* ExcessiverBufferOverrunInfo */
Reported by FlawFinder.
Line: 3424
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dd->err_info_rcvport.status_and_code;
memcpy(&rsp->port_rcv_ei.ei.ei1to12.packet_flit1,
&dd->err_info_rcvport.packet_flit1, sizeof(u64));
memcpy(&rsp->port_rcv_ei.ei.ei1to12.packet_flit2,
&dd->err_info_rcvport.packet_flit2, sizeof(u64));
/* ExcessiverBufferOverrunInfo */
reg = read_csr(dd, RCV_ERR_INFO);
if (reg & RCV_ERR_INFO_RCV_EXCESS_BUFFER_OVERRUN_SMASK) {
Reported by FlawFinder.
Line: 3806
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
new_cc_state->cct.ccti_limit = 0;
memcpy(new_cc_state->cct.entries, ppd->ccti_entries,
ppd->total_cct_entry * sizeof(struct ib_cc_table_entry));
new_cc_state->cong_setting.port_control = IB_CC_CCS_PC_SL_BASED;
new_cc_state->cong_setting.control_map = ppd->cc_sl_control_map;
memcpy(new_cc_state->cong_setting.entries, ppd->congestion_entries,
Reported by FlawFinder.
Line: 3811
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_cc_state->cong_setting.port_control = IB_CC_CCS_PC_SL_BASED;
new_cc_state->cong_setting.control_map = ppd->cc_sl_control_map;
memcpy(new_cc_state->cong_setting.entries, ppd->congestion_entries,
OPA_MAX_SLS * sizeof(struct opa_congestion_setting_entry));
rcu_assign_pointer(ppd->cc_state, new_cc_state);
spin_unlock(&ppd->cc_state_lock);
Reported by FlawFinder.
Line: 3900
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
if ((ts - cce->timestamp) / 2 > U32_MAX)
continue;
memcpy(cong_log->events[i].local_qp_cn_entry, &cce->lqpn, 3);
memcpy(cong_log->events[i].remote_qp_number_cn_entry,
&cce->rqpn, 3);
cong_log->events[i].sl_svc_type_cn_entry =
((cce->sl & 0x1f) << 3) | (cce->svc_type & 0x7);
cong_log->events[i].remote_lid_cn_entry =
Reported by FlawFinder.
Line: 3901
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((ts - cce->timestamp) / 2 > U32_MAX)
continue;
memcpy(cong_log->events[i].local_qp_cn_entry, &cce->lqpn, 3);
memcpy(cong_log->events[i].remote_qp_number_cn_entry,
&cce->rqpn, 3);
cong_log->events[i].sl_svc_type_cn_entry =
((cce->sl & 0x1f) << 3) | (cce->svc_type & 0x7);
cong_log->events[i].remote_lid_cn_entry =
cpu_to_be32(cce->rlid);
Reported by FlawFinder.
drivers/input/touchscreen/iqs5xx.c
9 issues
Line: 102
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iqs5xx_ihex_rec {
char start;
char len[2];
char addr[4];
char type[2];
char data[2];
} __packed;
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iqs5xx_ihex_rec {
char start;
char len[2];
char addr[4];
char type[2];
char data[2];
} __packed;
struct iqs5xx_touch_data {
Reported by FlawFinder.
Line: 104
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char start;
char len[2];
char addr[4];
char type[2];
char data[2];
} __packed;
struct iqs5xx_touch_data {
__be16 abs_x;
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char len[2];
char addr[4];
char type[2];
char data[2];
} __packed;
struct iqs5xx_touch_data {
__be16 abs_x;
__be16 abs_y;
Reported by FlawFinder.
Line: 200
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
put_unaligned_be16(reg, mbuf);
memcpy(mbuf + sizeof(reg), val, len);
/*
* The first addressing attempt outside of a communication window fails
* and must be retried, after which the device clock stretches until it
* is available.
Reported by FlawFinder.
Line: 374
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < pmap_len; i += IQS5XX_BL_BLK_LEN_MAX) {
put_unaligned_be16(bl_addr + i, mbuf);
memcpy(mbuf + sizeof(bl_addr), pmap_data + i,
sizeof(mbuf) - sizeof(bl_addr));
ret = i2c_transfer(client->adapter, &msg, 1);
if (ret != 1)
goto msg_fail;
Reported by FlawFinder.
Line: 804
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rec_num);
error = -EINVAL;
} else {
memcpy(pmap + rec_addr - IQS5XX_CHKSM,
rec_data, rec_len);
}
break;
case IQS5XX_REC_TYPE_EOF:
break;
Reported by FlawFinder.
Line: 902
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = iqs5xx->client;
size_t len = count;
bool input_reg = !iqs5xx->input;
char fw_file[IQS5XX_FW_FILE_LEN + 1];
int error;
if (!len)
return -EINVAL;
Reported by FlawFinder.
Line: 914
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > IQS5XX_FW_FILE_LEN)
return -ENAMETOOLONG;
memcpy(fw_file, buf, len);
fw_file[len] = '\0';
error = iqs5xx_fw_file_write(client, fw_file);
if (error)
return error;
Reported by FlawFinder.