The following issues were found
drivers/message/fusion/mptbase.h
8 issues
Line: 607
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int id; /* Unique adapter id N {0,1,2,...} */
int pci_irq; /* This irq */
char name[MPT_NAME_LENGTH]; /* "iocN" */
const char *prod_name; /* "LSIFC9x9" */
#ifdef CONFIG_FUSION_LOGGING
/* used in mpt_display_event_info */
char evStr[EVENT_DESCR_STR_SZ];
#endif
Reported by FlawFinder.
Line: 611
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *prod_name; /* "LSIFC9x9" */
#ifdef CONFIG_FUSION_LOGGING
/* used in mpt_display_event_info */
char evStr[EVENT_DESCR_STR_SZ];
#endif
char board_name[16];
char board_assembly[16];
char board_tracer[16];
u16 nvdata_version_persistent;
Reported by FlawFinder.
Line: 613
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* used in mpt_display_event_info */
char evStr[EVENT_DESCR_STR_SZ];
#endif
char board_name[16];
char board_assembly[16];
char board_tracer[16];
u16 nvdata_version_persistent;
u16 nvdata_version_default;
int debug_level;
Reported by FlawFinder.
Line: 614
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char evStr[EVENT_DESCR_STR_SZ];
#endif
char board_name[16];
char board_assembly[16];
char board_tracer[16];
u16 nvdata_version_persistent;
u16 nvdata_version_default;
int debug_level;
u8 io_missing_delay;
Reported by FlawFinder.
Line: 615
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
char board_name[16];
char board_assembly[16];
char board_tracer[16];
u16 nvdata_version_persistent;
u16 nvdata_version_default;
int debug_level;
u8 io_missing_delay;
u16 device_missing_delay;
Reported by FlawFinder.
Line: 732
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head fw_event_list;
spinlock_t fw_event_lock;
u8 fw_events_off; /* if '1', then ignore events */
char fw_event_q_name[MPT_KOBJ_NAME_LEN];
struct mutex sas_discovery_mutex;
u8 sas_discovery_runtime;
u8 sas_discovery_ignore_events;
Reported by FlawFinder.
Line: 768
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 fc_link_speed[2];
spinlock_t fc_rescan_work_lock;
struct work_struct fc_rescan_work;
char fc_rescan_work_q_name[MPT_KOBJ_NAME_LEN];
struct workqueue_struct *fc_rescan_work_q;
/* driver forced bus resets count */
unsigned long hard_resets;
/* fw/external bus resets count */
Reported by FlawFinder.
Line: 782
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
spinlock_t scsi_lookup_lock;
u64 dma_mask;
u32 broadcast_aen_busy;
char reset_work_q_name[MPT_KOBJ_NAME_LEN];
struct workqueue_struct *reset_work_q;
struct delayed_work fault_reset_work;
u8 sg_addr_size;
u8 in_rescan;
Reported by FlawFinder.
drivers/media/usb/dvb-usb/m920x.c
8 issues
Line: 425
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pass == 1) {
/* Will stall if using fw->data ... */
memcpy(buff, fw->data + i, size);
ret = usb_control_msg(udev, usb_sndctrlpipe(udev,0),
M9206_FW,
USB_TYPE_VENDOR | USB_DIR_OUT,
value, index, buff, size, 20);
Reported by FlawFinder.
Line: 391
Column: 6
CWE codes:
120
20
static int m920x_firmware_download(struct usb_device *udev, const struct firmware *fw)
{
u16 value, index, size;
u8 *read, *buff;
int i, pass, ret = 0;
buff = kmalloc(65536, GFP_KERNEL);
if (buff == NULL)
return -ENOMEM;
Reported by FlawFinder.
Line: 399
Column: 7
CWE codes:
120
20
return -ENOMEM;
read = kmalloc(4, GFP_KERNEL);
if (!read) {
kfree(buff);
return -ENOMEM;
}
if ((ret = m920x_read(udev, M9206_FILTER, 0x0, 0x8000, read, 4)) != 0)
Reported by FlawFinder.
Line: 404
Column: 57
CWE codes:
120
20
return -ENOMEM;
}
if ((ret = m920x_read(udev, M9206_FILTER, 0x0, 0x8000, read, 4)) != 0)
goto done;
deb("%*ph\n", 4, read);
if ((ret = m920x_read(udev, M9206_FW, 0x0, 0x0, read, 1)) != 0)
goto done;
Reported by FlawFinder.
Line: 406
Column: 19
CWE codes:
120
20
if ((ret = m920x_read(udev, M9206_FILTER, 0x0, 0x8000, read, 4)) != 0)
goto done;
deb("%*ph\n", 4, read);
if ((ret = m920x_read(udev, M9206_FW, 0x0, 0x0, read, 1)) != 0)
goto done;
deb("%x\n", read[0]);
Reported by FlawFinder.
Line: 408
Column: 50
CWE codes:
120
20
goto done;
deb("%*ph\n", 4, read);
if ((ret = m920x_read(udev, M9206_FW, 0x0, 0x0, read, 1)) != 0)
goto done;
deb("%x\n", read[0]);
for (pass = 0; pass < 2; pass++) {
for (i = 0; i + (sizeof(u16) * 3) < fw->size;) {
Reported by FlawFinder.
Line: 410
Column: 14
CWE codes:
120
20
if ((ret = m920x_read(udev, M9206_FW, 0x0, 0x0, read, 1)) != 0)
goto done;
deb("%x\n", read[0]);
for (pass = 0; pass < 2; pass++) {
for (i = 0; i + (sizeof(u16) * 3) < fw->size;) {
value = get_unaligned_le16(fw->data + i);
i += sizeof(u16);
Reported by FlawFinder.
drivers/media/dvb-frontends/sp2.c
8 issues
Line: 73
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buffer[0] = reg;
memcpy(&buffer[1], buf, len);
ret = i2c_transfer(adap, &msg, 1);
if (ret != 1) {
dev_err(&client->dev, "i2c write error, reg = 0x%02x, status = %d\n",
Reported by FlawFinder.
Line: 234
Column: 19
CWE codes:
362
}
int sp2_ci_poll_slot_status(struct dvb_ca_en50221 *en50221,
int slot, int open)
{
struct sp2 *s = en50221->data;
u8 buf[2];
int ret;
Reported by FlawFinder.
Line: 240
Column: 54
CWE codes:
362
u8 buf[2];
int ret;
dev_dbg(&s->client->dev, "slot:%d open:%d\n", slot, open);
/*
* CAM module INSERT/REMOVE processing. Slow operation because of i2c
* transfers. Throttle read to one per sec.
*/
Reported by FlawFinder.
Line: 93
Column: 7
CWE codes:
120
20
}
static int sp2_ci_op_cam(struct dvb_ca_en50221 *en50221, int slot, u8 acs,
u8 read, int addr, u8 data)
{
struct sp2 *s = en50221->data;
u8 store;
int mem, ret;
int (*ci_op_cam)(void*, u8, int, u8, int*) = s->ci_control;
Reported by FlawFinder.
Line: 125
Column: 28
CWE codes:
120
20
/* implementation of ci_op_cam is device specific */
if (ci_op_cam) {
ret = ci_op_cam(s->priv, read, addr, data, &mem);
} else {
dev_err(&s->client->dev, "callback not defined");
return -EINVAL;
}
Reported by FlawFinder.
Line: 135
Column: 5
CWE codes:
120
20
return ret;
dev_dbg(&s->client->dev, "%s: slot=%d, addr=0x%04x, %s, data=%x",
(read) ? "read" : "write", slot, addr,
(acs == SP2_CI_ATTR_ACS) ? "attr" : "io",
(read) ? mem : data);
if (read)
return mem;
Reported by FlawFinder.
Line: 137
Column: 5
CWE codes:
120
20
dev_dbg(&s->client->dev, "%s: slot=%d, addr=0x%04x, %s, data=%x",
(read) ? "read" : "write", slot, addr,
(acs == SP2_CI_ATTR_ACS) ? "attr" : "io",
(read) ? mem : data);
if (read)
return mem;
else
return 0;
Reported by FlawFinder.
drivers/net/ethernet/amd/atarilance.c
8 issues
Line: 147
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* The LANCE initialization block, described in databook. */
struct lance_init_block {
unsigned short mode; /* Pre-set mode */
unsigned char hwaddr[6]; /* Physical ethernet address */
unsigned filter[2]; /* Multicast filter (unused). */
/* Receive and transmit ring base, along with length bits. */
struct ringdesc rx_ring;
struct ringdesc tx_ring;
};
Reported by FlawFinder.
Line: 184
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* prefix for Riebl cards, the 00:00 at the end is arbitrary.
*/
static unsigned char OldRieblDefHwaddr[6] = {
0x00, 0x00, 0x36, 0x04, 0x00, 0x00
};
/* I/O registers of the Lance chip */
Reported by FlawFinder.
Line: 194
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lance_ioreg {
/* base+0x0 */ volatile unsigned short data;
/* base+0x2 */ volatile unsigned short addr;
unsigned char _dummy1[3];
/* base+0x7 */ volatile unsigned char ivec;
unsigned char _dummy2[5];
/* base+0xd */ volatile unsigned char eeprom;
unsigned char _dummy3;
/* base+0xf */ volatile unsigned char mem;
Reported by FlawFinder.
Line: 196
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* base+0x2 */ volatile unsigned short addr;
unsigned char _dummy1[3];
/* base+0x7 */ volatile unsigned char ivec;
unsigned char _dummy2[5];
/* base+0xd */ volatile unsigned char eeprom;
unsigned char _dummy3;
/* base+0xf */ volatile unsigned char mem;
};
Reported by FlawFinder.
Line: 386
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!dev)
return ERR_PTR(-ENOMEM);
if (unit >= 0) {
sprintf(dev->name, "eth%d", unit);
netdev_boot_setup_check(dev);
}
for( i = 0; i < N_LANCE_ADDR; ++i ) {
if (lance_probe1( dev, &lance_addr_list[i] )) {
Reported by FlawFinder.
Line: 536
Column: 53
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MEM = (struct lance_memory *)memaddr;
IO = lp->iobase = (struct lance_ioreg *)ioaddr;
dev->base_addr = (unsigned long)ioaddr; /* informational only */
lp->memcpy_f = init_rec->slow_flag ? slow_memcpy : memcpy;
REGA( CSR0 ) = CSR0_STOP;
/* Now test for type: If the eeprom I/O port is readable, it is a
* PAM card */
Reported by FlawFinder.
Line: 589
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch( lp->cardtype ) {
case OLD_RIEBL:
/* No ethernet address! (Set some default address) */
memcpy(dev->dev_addr, OldRieblDefHwaddr, ETH_ALEN);
break;
case NEW_RIEBL:
lp->memcpy_f(dev->dev_addr, RIEBL_HWADDR_ADDR, ETH_ALEN);
break;
case PAM_CARD:
Reported by FlawFinder.
Line: 1130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
}
memcpy( dev->dev_addr, saddr->sa_data, dev->addr_len );
for( i = 0; i < 6; i++ )
MEM->init.hwaddr[i] = dev->dev_addr[i^1]; /* <- 16 bit swap! */
lp->memcpy_f( RIEBL_HWADDR_ADDR, dev->dev_addr, 6 );
/* set also the magic for future sessions */
*RIEBL_MAGIC_ADDR = RIEBL_MAGIC;
Reported by FlawFinder.
drivers/mtd/nand/raw/tegra_nand.c
8 issues
Line: 454
NAND_OP_PARSER_PAT_ADDR_ELEM(true, 8),
NAND_OP_PARSER_PAT_CMD_ELEM(true),
NAND_OP_PARSER_PAT_WAITRDY_ELEM(true),
NAND_OP_PARSER_PAT_DATA_IN_ELEM(true, 4)),
);
static void tegra_nand_select_target(struct nand_chip *chip,
unsigned int die_nr)
{
Reported by Cppcheck.
Line: 411
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd |= COMMAND_TRANS_SIZE(size) | COMMAND_PIO |
COMMAND_TX | COMMAND_A_VALID;
memcpy(®, instr->ctx.data.buf.out + offset, size);
writel_relaxed(reg, ctrl->regs + RESP);
break;
case NAND_OP_WAITRDY_INSTR:
Reported by FlawFinder.
Line: 435
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (instr_data_in) {
reg = readl_relaxed(ctrl->regs + RESP);
memcpy(instr_data_in->ctx.data.buf.in + offset, ®, size);
}
return 0;
}
Reported by FlawFinder.
Line: 495
Column: 10
CWE codes:
120
20
static int tegra_nand_page_xfer(struct mtd_info *mtd, struct nand_chip *chip,
void *buf, void *oob_buf, int oob_len, int page,
bool read)
{
struct tegra_nand_controller *ctrl = to_tegra_ctrl(chip->controller);
enum dma_data_direction dir = read ? DMA_FROM_DEVICE : DMA_TO_DEVICE;
dma_addr_t dma_addr = 0, dma_addr_oob = 0;
u32 addr1, cmd, dma_ctrl;
Reported by FlawFinder.
Line: 498
Column: 32
CWE codes:
120
20
bool read)
{
struct tegra_nand_controller *ctrl = to_tegra_ctrl(chip->controller);
enum dma_data_direction dir = read ? DMA_FROM_DEVICE : DMA_TO_DEVICE;
dma_addr_t dma_addr = 0, dma_addr_oob = 0;
u32 addr1, cmd, dma_ctrl;
int ret;
tegra_nand_select_target(chip, chip->cur_cs);
Reported by FlawFinder.
Line: 505
Column: 6
CWE codes:
120
20
tegra_nand_select_target(chip, chip->cur_cs);
if (read) {
writel_relaxed(NAND_CMD_READ0, ctrl->regs + CMD_REG1);
writel_relaxed(NAND_CMD_READSTART, ctrl->regs + CMD_REG2);
} else {
writel_relaxed(NAND_CMD_SEQIN, ctrl->regs + CMD_REG1);
writel_relaxed(NAND_CMD_PAGEPROG, ctrl->regs + CMD_REG2);
Reported by FlawFinder.
Line: 563
Column: 6
CWE codes:
120
20
if (oob_buf)
dma_ctrl |= DMA_MST_CTRL_EN_B;
if (read)
dma_ctrl |= DMA_MST_CTRL_IN | DMA_MST_CTRL_REUSE;
else
dma_ctrl |= DMA_MST_CTRL_OUT;
writel_relaxed(dma_ctrl, ctrl->regs + DMA_MST_CTRL);
Reported by FlawFinder.
drivers/media/test-drivers/vidtv/vidtv_psi.c
8 issues
Line: 342
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
desc->format_id = format_id;
if (additional_ident_info && additional_info_len)
memcpy(desc->additional_identification_info,
additional_ident_info,
additional_info_len);
vidtv_psi_desc_chain(head, (struct vidtv_psi_desc *)desc);
return desc;
Reported by FlawFinder.
Line: 1981
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*
* Let's make the event to start on a full hour
*/
memcpy(e->start_time, &mjd_be, sizeof(mjd_be));
e->start_time[2] = bin2bcd(time.tm_hour);
e->start_time[3] = 0;
e->start_time[4] = 0;
/*
Reported by FlawFinder.
Line: 291
Column: 40
CWE codes:
126
char *provider_name)
{
struct vidtv_psi_desc_service *desc;
u32 service_name_len = service_name ? strlen(service_name) : 0;
u32 provider_name_len = provider_name ? strlen(provider_name) : 0;
desc = kzalloc(sizeof(*desc), GFP_KERNEL);
if (!desc)
return NULL;
Reported by FlawFinder.
Line: 292
Column: 42
CWE codes:
126
{
struct vidtv_psi_desc_service *desc;
u32 service_name_len = service_name ? strlen(service_name) : 0;
u32 provider_name_len = provider_name ? strlen(provider_name) : 0;
desc = kzalloc(sizeof(*desc), GFP_KERNEL);
if (!desc)
return NULL;
Reported by FlawFinder.
Line: 353
Column: 40
CWE codes:
126
struct vidtv_psi_desc_network_name
*vidtv_psi_network_name_desc_init(struct vidtv_psi_desc *head, char *network_name)
{
u32 network_name_len = network_name ? strlen(network_name) : 0;
struct vidtv_psi_desc_network_name *desc;
desc = kzalloc(sizeof(*desc), GFP_KERNEL);
if (!desc)
return NULL;
Reported by FlawFinder.
Line: 427
Column: 37
CWE codes:
126
char *event_name,
char *text)
{
u32 iso_len = iso_language_code ? strlen(iso_language_code) : 0;
u32 event_name_len = event_name ? strlen(event_name) : 0;
struct vidtv_psi_desc_short_event *desc;
u32 text_len = text ? strlen(text) : 0;
desc = kzalloc(sizeof(*desc), GFP_KERNEL);
Reported by FlawFinder.
Line: 428
Column: 36
CWE codes:
126
char *text)
{
u32 iso_len = iso_language_code ? strlen(iso_language_code) : 0;
u32 event_name_len = event_name ? strlen(event_name) : 0;
struct vidtv_psi_desc_short_event *desc;
u32 text_len = text ? strlen(text) : 0;
desc = kzalloc(sizeof(*desc), GFP_KERNEL);
if (!desc)
Reported by FlawFinder.
Line: 430
Column: 25
CWE codes:
126
u32 iso_len = iso_language_code ? strlen(iso_language_code) : 0;
u32 event_name_len = event_name ? strlen(event_name) : 0;
struct vidtv_psi_desc_short_event *desc;
u32 text_len = text ? strlen(text) : 0;
desc = kzalloc(sizeof(*desc), GFP_KERNEL);
if (!desc)
return NULL;
Reported by FlawFinder.
drivers/media/i2c/tvaudio.c
8 issues
Line: 70
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* i2c command */
typedef struct AUDIOCMD {
int count; /* # of bytes to send */
unsigned char bytes[MAXREGS+1]; /* addr, data, data, ... */
} audiocmd;
/* chip description */
struct CHIPDESC {
char *name; /* chip name */
Reported by FlawFinder.
Line: 158
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct v4l2_subdev *sd = &chip->sd;
struct i2c_client *c = v4l2_get_subdevdata(sd);
unsigned char buffer[2];
int rc;
if (subaddr < 0) {
v4l2_dbg(1, debug, sd, "chip_write: 0x%x\n", val);
chip->shadow.bytes[1] = val;
Reported by FlawFinder.
Line: 242
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct v4l2_subdev *sd = &chip->sd;
struct i2c_client *c = v4l2_get_subdevdata(sd);
int rc;
unsigned char write[1];
unsigned char read[1];
struct i2c_msg msgs[2] = {
{
.addr = c->addr,
.len = 1,
Reported by FlawFinder.
Line: 243
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *c = v4l2_get_subdevdata(sd);
int rc;
unsigned char write[1];
unsigned char read[1];
struct i2c_msg msgs[2] = {
{
.addr = c->addr,
.len = 1,
.buf = write
Reported by FlawFinder.
Line: 243
Column: 16
CWE codes:
120
20
struct i2c_client *c = v4l2_get_subdevdata(sd);
int rc;
unsigned char write[1];
unsigned char read[1];
struct i2c_msg msgs[2] = {
{
.addr = c->addr,
.len = 1,
.buf = write
Reported by FlawFinder.
Line: 268
Column: 12
CWE codes:
120
20
return -EIO;
}
v4l2_dbg(1, debug, sd, "chip_read2: reg%d=0x%x\n",
subaddr, read[0]);
return read[0];
}
static int chip_cmd(struct CHIPSTATE *chip, char *name, audiocmd *cmd)
{
Reported by FlawFinder.
Line: 269
Column: 9
CWE codes:
120
20
}
v4l2_dbg(1, debug, sd, "chip_read2: reg%d=0x%x\n",
subaddr, read[0]);
return read[0];
}
static int chip_cmd(struct CHIPSTATE *chip, char *name, audiocmd *cmd)
{
struct v4l2_subdev *sd = &chip->sd;
Reported by FlawFinder.
drivers/net/appletalk/ltpc.c
8 issues
Line: 914
CWE codes:
758
if(debug & DEBUG_UPPER) {
printk("command ");
for(i=0;i<6;i++)
printk("%02x ",((unsigned char *)&cbuf)[i]);
printk("\n");
}
hdr = skb_transport_header(skb);
do_write(dev, &cbuf, sizeof(cbuf), hdr, skb->len);
Reported by Cppcheck.
Line: 334
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct xmitQel qels[16];
/* and their corresponding mailboxes */
static unsigned char mailbox[16];
static unsigned char mboxinuse[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
static int wait_timeout(struct net_device *dev, int c)
{
/* returns true if it stayed c */
Reported by FlawFinder.
Line: 335
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* and their corresponding mailboxes */
static unsigned char mailbox[16];
static unsigned char mboxinuse[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
static int wait_timeout(struct net_device *dev, int c)
{
/* returns true if it stayed c */
/* this uses base+6, but it's ok */
Reported by FlawFinder.
Line: 488
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* ready made command for getting the result from the card */
static unsigned char rescbuf[2] = {LT_GETRESULT,0};
static unsigned char resdbuf[2];
static int QInIdle;
/* idle expects to be called with the IRQ line high -- either because of
Reported by FlawFinder.
Line: 489
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ready made command for getting the result from the card */
static unsigned char rescbuf[2] = {LT_GETRESULT,0};
static unsigned char resdbuf[2];
static int QInIdle;
/* idle expects to be called with the IRQ line high -- either because of
* an interrupt, or because the line is tri-stated
Reported by FlawFinder.
Line: 576
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if(debug & DEBUG_LOWER) printk("idle: fa\n");
if (xmQhd) {
q=deQ();
memcpy(ltdmacbuf,q->cbuf,q->cbuflen);
ltdmacbuf[1] = q->mailbox;
if (debug>1) {
int n;
printk("ltpc: sent command ");
n = q->cbuflen;
Reported by FlawFinder.
Line: 615
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* data transfer ready */
if(debug & DEBUG_LOWER) printk("idle: fb\n");
if(q->QWrite) {
memcpy(ltdmabuf,q->dbuf,q->dbuflen);
handlewrite(dev);
} else {
handleread(dev);
/* non-zero mailbox numbers are for
commmands, 0 is for GETRESULT
Reported by FlawFinder.
Line: 623
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
commmands, 0 is for GETRESULT
requests */
if(q->mailbox) {
memcpy(q->dbuf,ltdmabuf,q->dbuflen);
} else {
/* this was a result */
mailbox[ 0x0f & ltdmabuf[0] ] = ltdmabuf[1];
mboxinuse[0]=0;
}
Reported by FlawFinder.
drivers/misc/mei/bus.c
8 issues
Line: 102
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cb->internal = !!(mode & MEI_CL_IO_TX_INTERNAL);
cb->blocking = !!(mode & MEI_CL_IO_TX_BLOCKING);
memcpy(cb->buf.data, buf, length);
rets = mei_cl_write(cl, cb);
out:
mutex_unlock(&bus->device_lock);
Reported by FlawFinder.
Line: 209
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
r_length = min_t(size_t, length, cb->buf_idx);
memcpy(buf, cb->buf.data, r_length);
rets = r_length;
if (vtag)
*vtag = cb->vtag;
free:
Reported by FlawFinder.
Line: 918
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mei_cl_device *cldev = to_mei_cl_device(dev);
const uuid_le *uuid = mei_me_cl_uuid(cldev->me_cl);
return sprintf(buf, "%pUl", uuid);
}
static DEVICE_ATTR_RO(uuid);
static ssize_t version_show(struct device *dev, struct device_attribute *a,
char *buf)
Reported by FlawFinder.
Line: 928
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mei_cl_device *cldev = to_mei_cl_device(dev);
u8 version = mei_me_cl_ver(cldev->me_cl);
return sprintf(buf, "%02X", version);
}
static DEVICE_ATTR_RO(version);
static ssize_t modalias_show(struct device *dev, struct device_attribute *a,
char *buf)
Reported by FlawFinder.
Line: 950
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mei_cl_device *cldev = to_mei_cl_device(dev);
u8 maxconn = mei_me_cl_max_conn(cldev->me_cl);
return sprintf(buf, "%d", maxconn);
}
static DEVICE_ATTR_RO(max_conn);
static ssize_t fixed_show(struct device *dev, struct device_attribute *a,
char *buf)
Reported by FlawFinder.
Line: 960
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mei_cl_device *cldev = to_mei_cl_device(dev);
u8 fixed = mei_me_cl_fixed(cldev->me_cl);
return sprintf(buf, "%d", fixed);
}
static DEVICE_ATTR_RO(fixed);
static ssize_t vtag_show(struct device *dev, struct device_attribute *a,
char *buf)
Reported by FlawFinder.
Line: 970
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mei_cl_device *cldev = to_mei_cl_device(dev);
bool vt = mei_me_cl_vt(cldev->me_cl);
return sprintf(buf, "%d", vt);
}
static DEVICE_ATTR_RO(vtag);
static ssize_t max_len_show(struct device *dev, struct device_attribute *a,
char *buf)
Reported by FlawFinder.
Line: 980
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mei_cl_device *cldev = to_mei_cl_device(dev);
u32 maxlen = mei_me_cl_max_len(cldev->me_cl);
return sprintf(buf, "%u", maxlen);
}
static DEVICE_ATTR_RO(max_len);
static struct attribute *mei_cldev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
drivers/message/fusion/mptctl.c
8 issues
Line: 228
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ioc->ioctl_cmds.status |= MPT_MGMT_STATUS_RF_VALID;
sz = min(ioc->reply_sz, 4*reply->u.reply.MsgLength);
memcpy(ioc->ioctl_cmds.reply, reply, sz);
if (reply->u.reply.IOCStatus || reply->u.reply.IOCLogInfo)
dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT
"iocstatus (0x%04X), loginfo (0x%08X)\n", ioc->name,
le16_to_cpu(reply->u.reply.IOCStatus),
Reported by FlawFinder.
Line: 256
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
le16_to_cpu(req->u.frame.hwhdr.msgctxu.fld.req_idx);
sense_data = ((u8 *)ioc->sense_buf_pool +
(req_index * MPT_SENSE_BUFFER_ALLOC));
memcpy(ioc->ioctl_cmds.sense, sense_data, sz);
ioc->ioctl_cmds.status |= MPT_MGMT_STATUS_SENSE_VALID;
}
}
out:
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
ioc->taskmgmt_cmds.status |= MPT_MGMT_STATUS_RF_VALID;
memcpy(ioc->taskmgmt_cmds.reply, mr,
min(MPT_DEFAULT_FRAME_SIZE, 4 * mr->u.reply.MsgLength));
out:
if (ioc->taskmgmt_cmds.status & MPT_MGMT_STATUS_PENDING) {
mpt_clear_taskmgmt_in_progress_flag(ioc);
ioc->taskmgmt_cmds.status &= ~MPT_MGMT_STATUS_PENDING;
Reported by FlawFinder.
Line: 1327
Column: 2
CWE codes:
120
/* Set the Version Strings.
*/
strncpy (karg->driverVersion, MPT_LINUX_PACKAGE_NAME, MPT_IOCTL_VERSION_LENGTH);
karg->driverVersion[MPT_IOCTL_VERSION_LENGTH-1]='\0';
karg->busChangeEvent = 0;
karg->hostId = ioc->pfacts[port].PortSCSIID;
karg->rsvd[0] = karg->rsvd[1] = 0;
Reported by FlawFinder.
Line: 1492
Column: 2
CWE codes:
120
#else
karg.chip_type = ioc->pcidev->device;
#endif
strncpy (karg.name, ioc->name, MPT_MAX_NAME);
karg.name[MPT_MAX_NAME-1]='\0';
strncpy (karg.product, ioc->prod_name, MPT_PRODUCT_LENGTH);
karg.product[MPT_PRODUCT_LENGTH-1]='\0';
/* Copy the data from kernel memory to user memory
Reported by FlawFinder.
Line: 1494
Column: 2
CWE codes:
120
#endif
strncpy (karg.name, ioc->name, MPT_MAX_NAME);
karg.name[MPT_MAX_NAME-1]='\0';
strncpy (karg.product, ioc->prod_name, MPT_PRODUCT_LENGTH);
karg.product[MPT_PRODUCT_LENGTH-1]='\0';
/* Copy the data from kernel memory to user memory
*/
if (copy_to_user((char __user *)arg, &karg, sizeof(struct mpt_ioctl_test))) {
Reported by FlawFinder.
Line: 2392
Column: 2
CWE codes:
120
cfg.dir = 0; /* read */
cfg.timeout = 10;
strncpy(karg.serial_number, " ", 24);
if (mpt_config(ioc, &cfg) == 0) {
if (cfg.cfghdr.hdr->PageLength > 0) {
/* Issue the second config page request */
cfg.action = MPI_CONFIG_ACTION_PAGE_READ_CURRENT;
Reported by FlawFinder.
Line: 2403
Column: 10
CWE codes:
126
cfg.physAddr = buf_dma;
if (mpt_config(ioc, &cfg) == 0) {
ManufacturingPage0_t *pdata = (ManufacturingPage0_t *) pbuf;
if (strlen(pdata->BoardTracerNumber) > 1) {
strlcpy(karg.serial_number,
pdata->BoardTracerNumber, 24);
}
}
pci_free_consistent(ioc->pcidev, hdr.PageLength * 4, pbuf, buf_dma);
Reported by FlawFinder.