The following issues were found
drivers/dma/qcom/hidma_mgmt_sys.c
6 issues
Line: 109
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < ARRAY_SIZE(hidma_mgmt_files); i++) {
if (strcmp(attr->attr.name, hidma_mgmt_files[i].name) == 0) {
sprintf(buf, "%d\n", hidma_mgmt_files[i].get(mdev));
break;
}
}
return strlen(buf);
}
Reported by FlawFinder.
Line: 150
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
chattr = container_of(attr, struct hidma_chan_attr, attr);
mdev = chattr->mdev;
if (strcmp(attr->attr.name, "priority") == 0)
sprintf(buf, "%d\n", mdev->priority[chattr->index]);
else if (strcmp(attr->attr.name, "weight") == 0)
sprintf(buf, "%d\n", mdev->weight[chattr->index]);
return strlen(buf);
}
Reported by FlawFinder.
Line: 152
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (strcmp(attr->attr.name, "priority") == 0)
sprintf(buf, "%d\n", mdev->priority[chattr->index]);
else if (strcmp(attr->attr.name, "weight") == 0)
sprintf(buf, "%d\n", mdev->weight[chattr->index]);
return strlen(buf);
}
static ssize_t set_values_channel(struct kobject *kobj,
Reported by FlawFinder.
Line: 252
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* create each channel directory here */
for (i = 0; i < mdev->dma_channels; i++) {
char name[20];
snprintf(name, sizeof(name), "chan%d", i);
mdev->chroots[i] = kobject_create_and_add(name, chanops);
if (!mdev->chroots[i])
return -ENOMEM;
Reported by FlawFinder.
Line: 113
Column: 9
CWE codes:
126
break;
}
}
return strlen(buf);
}
static ssize_t set_values(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
Reported by FlawFinder.
Line: 154
Column: 9
CWE codes:
126
else if (strcmp(attr->attr.name, "weight") == 0)
sprintf(buf, "%d\n", mdev->weight[chattr->index]);
return strlen(buf);
}
static ssize_t set_values_channel(struct kobject *kobj,
struct kobj_attribute *attr, const char *buf,
size_t count)
Reported by FlawFinder.
drivers/edac/armada_xp_edac.c
6 issues
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* bank interleaving */
bool cs_addr_sel[SDRAM_NUM_CS];
char msg[128];
};
/* derived from "DRAM Address Multiplexing" in the ARMADA XP Functional Spec */
static uint32_t axp_mc_calc_address(struct axp_mc_drvdata *drvdata,
uint8_t cs, uint8_t bank, uint16_t row,
Reported by FlawFinder.
Line: 195
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
syndrome_val = (recv_ecc ^ calc_ecc) & 0xff;
addr_val = axp_mc_calc_address(drvdata, cs_val, bank_val, row_val,
col_val);
msg += sprintf(msg, "row=0x%04x ", row_val); /* 11 chars */
msg += sprintf(msg, "bank=0x%x ", bank_val); /* 9 chars */
msg += sprintf(msg, "col=0x%04x ", col_val); /* 11 chars */
msg += sprintf(msg, "cs=%d", cs_val); /* 4 chars */
if (!(addr & SDRAM_ERR_ADDR_TYPE_MASK)) {
Reported by FlawFinder.
Line: 196
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
addr_val = axp_mc_calc_address(drvdata, cs_val, bank_val, row_val,
col_val);
msg += sprintf(msg, "row=0x%04x ", row_val); /* 11 chars */
msg += sprintf(msg, "bank=0x%x ", bank_val); /* 9 chars */
msg += sprintf(msg, "col=0x%04x ", col_val); /* 11 chars */
msg += sprintf(msg, "cs=%d", cs_val); /* 4 chars */
if (!(addr & SDRAM_ERR_ADDR_TYPE_MASK)) {
edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci,
Reported by FlawFinder.
Line: 197
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
col_val);
msg += sprintf(msg, "row=0x%04x ", row_val); /* 11 chars */
msg += sprintf(msg, "bank=0x%x ", bank_val); /* 9 chars */
msg += sprintf(msg, "col=0x%04x ", col_val); /* 11 chars */
msg += sprintf(msg, "cs=%d", cs_val); /* 4 chars */
if (!(addr & SDRAM_ERR_ADDR_TYPE_MASK)) {
edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci,
1, /* error count */
Reported by FlawFinder.
Line: 198
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
msg += sprintf(msg, "row=0x%04x ", row_val); /* 11 chars */
msg += sprintf(msg, "bank=0x%x ", bank_val); /* 9 chars */
msg += sprintf(msg, "col=0x%04x ", col_val); /* 11 chars */
msg += sprintf(msg, "cs=%d", cs_val); /* 4 chars */
if (!(addr & SDRAM_ERR_ADDR_TYPE_MASK)) {
edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci,
1, /* error count */
addr_val >> PAGE_SHIFT,
Reported by FlawFinder.
Line: 386
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct aurora_l2_drvdata {
void __iomem *base;
char msg[128];
/* error injection via debugfs */
uint32_t inject_addr;
uint32_t inject_mask;
uint8_t inject_ctl;
Reported by FlawFinder.
drivers/crypto/ccp/ccp-ops.c
6 issues
Line: 1660
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case CCP_SHA_TYPE_1:
case CCP_SHA_TYPE_224:
case CCP_SHA_TYPE_256:
memcpy(ctx.address + ioffset, init, ctx_size);
break;
case CCP_SHA_TYPE_384:
case CCP_SHA_TYPE_512:
memcpy(ctx.address + ctx_size / 2, init,
ctx_size / 2);
Reported by FlawFinder.
Line: 1664
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case CCP_SHA_TYPE_384:
case CCP_SHA_TYPE_512:
memcpy(ctx.address + ctx_size / 2, init,
ctx_size / 2);
memcpy(ctx.address, init + ctx_size / 2,
ctx_size / 2);
break;
default:
Reported by FlawFinder.
Line: 1666
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case CCP_SHA_TYPE_512:
memcpy(ctx.address + ctx_size / 2, init,
ctx_size / 2);
memcpy(ctx.address, init + ctx_size / 2,
ctx_size / 2);
break;
default:
ret = -EINVAL;
goto e_ctx;
Reported by FlawFinder.
Line: 1779
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case CCP_SHA_TYPE_1:
case CCP_SHA_TYPE_224:
case CCP_SHA_TYPE_256:
memcpy(hmac_buf + block_size,
ctx.address + ooffset,
digest_size);
break;
case CCP_SHA_TYPE_384:
case CCP_SHA_TYPE_512:
Reported by FlawFinder.
Line: 1785
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case CCP_SHA_TYPE_384:
case CCP_SHA_TYPE_512:
memcpy(hmac_buf + block_size,
ctx.address + LSB_ITEM_SIZE + ooffset,
LSB_ITEM_SIZE);
memcpy(hmac_buf + block_size +
(LSB_ITEM_SIZE - ooffset),
ctx.address,
Reported by FlawFinder.
Line: 1788
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(hmac_buf + block_size,
ctx.address + LSB_ITEM_SIZE + ooffset,
LSB_ITEM_SIZE);
memcpy(hmac_buf + block_size +
(LSB_ITEM_SIZE - ooffset),
ctx.address,
LSB_ITEM_SIZE);
break;
default:
Reported by FlawFinder.
drivers/block/sunvdc.c
6 issues
Line: 845
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
g->major = vdc_major;
g->first_minor = port->vio.vdev->dev_no << PARTITION_SHIFT;
g->minors = 1 << PARTITION_SHIFT;
strcpy(g->disk_name, port->disk_name);
g->fops = &vdc_fops;
g->queue = q;
g->private_data = port;
Reported by FlawFinder.
Line: 990
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
if (vdev->dev_no >= 26)
snprintf(port->disk_name, sizeof(port->disk_name),
VDCBLK_NAME "%c%c",
'a' + ((int)vdev->dev_no / 26) - 1,
'a' + ((int)vdev->dev_no % 26));
else
snprintf(port->disk_name, sizeof(port->disk_name),
Reported by FlawFinder.
Line: 995
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
'a' + ((int)vdev->dev_no / 26) - 1,
'a' + ((int)vdev->dev_no % 26));
else
snprintf(port->disk_name, sizeof(port->disk_name),
VDCBLK_NAME "%c", 'a' + ((int)vdev->dev_no % 26));
port->vdisk_size = -1;
/* Actual wall time may be double due to do_generic_file_read() doing
* a readahead I/O first, and once that fails it will try to read a
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct blk_mq_tag_set tag_set;
char disk_name[32];
};
static void vdc_ldc_reset(struct vdc_port *port);
static void vdc_ldc_reset_work(struct work_struct *work);
static void vdc_ldc_reset_timer_work(struct work_struct *work);
Reported by FlawFinder.
Line: 651
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = op_len;
if (map_perm & LDC_MAP_R)
memcpy(req_buf, buf, len);
spin_lock_irqsave(&port->vio.lock, flags);
dr = &port->vio.drings[VIO_DRIVER_TX_RING];
Reported by FlawFinder.
Line: 704
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (map_perm & LDC_MAP_W)
memcpy(buf, req_buf, len);
kfree(req_buf);
return err;
}
Reported by FlawFinder.
drivers/firmware/raspberrypi.c
6 issues
Line: 168
CWE codes:
476
header->tag = tag;
header->buf_size = buf_size;
header->req_resp_size = 0;
memcpy(data + sizeof(*header), tag_data, buf_size);
ret = rpi_firmware_property_list(fw, data, buf_size + sizeof(*header));
memcpy(tag_data, data + sizeof(*header), buf_size);
Reported by Cppcheck.
Line: 172
CWE codes:
476
ret = rpi_firmware_property_list(fw, data, buf_size + sizeof(*header));
memcpy(tag_data, data + sizeof(*header), buf_size);
kfree(data);
return ret;
}
Reported by Cppcheck.
Line: 109
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[0] = size;
buf[1] = RPI_FIRMWARE_STATUS_REQUEST;
memcpy(&buf[2], data, tag_size);
buf[size / 4 - 1] = RPI_FIRMWARE_PROPERTY_END;
wmb();
ret = rpi_firmware_transaction(fw, MBOX_CHAN_PROPERTY, bus_addr);
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = rpi_firmware_transaction(fw, MBOX_CHAN_PROPERTY, bus_addr);
rmb();
memcpy(data, &buf[2], tag_size);
if (ret == 0 && buf[1] != RPI_FIRMWARE_STATUS_SUCCESS) {
/*
* The tag name here might not be the one causing the
* error, if there were multiple tags in the request.
* But single-tag is the most common, so go with it.
Reported by FlawFinder.
Line: 168
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
header->tag = tag;
header->buf_size = buf_size;
header->req_resp_size = 0;
memcpy(data + sizeof(*header), tag_data, buf_size);
ret = rpi_firmware_property_list(fw, data, buf_size + sizeof(*header));
memcpy(tag_data, data + sizeof(*header), buf_size);
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = rpi_firmware_property_list(fw, data, buf_size + sizeof(*header));
memcpy(tag_data, data + sizeof(*header), buf_size);
kfree(data);
return ret;
}
Reported by FlawFinder.
drivers/acpi/pci_mcfg.c
6 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_PCI_QUIRKS
struct mcfg_fixup {
char oem_id[ACPI_OEM_ID_SIZE + 1];
char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1];
u32 oem_revision;
u16 segment;
struct resource bus_range;
const struct pci_ecam_ops *ops;
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_PCI_QUIRKS
struct mcfg_fixup {
char oem_id[ACPI_OEM_ID_SIZE + 1];
char oem_table_id[ACPI_OEM_TABLE_ID_SIZE + 1];
u32 oem_revision;
u16 segment;
struct resource bus_range;
const struct pci_ecam_ops *ops;
struct resource cfgres;
Reported by FlawFinder.
Line: 174
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ALTRA_ECAM_QUIRK(1, 15),
};
static char mcfg_oem_id[ACPI_OEM_ID_SIZE];
static char mcfg_oem_table_id[ACPI_OEM_TABLE_ID_SIZE];
static u32 mcfg_oem_revision;
static int pci_mcfg_quirk_matches(struct mcfg_fixup *f, u16 segment,
struct resource *bus_range)
Reported by FlawFinder.
Line: 175
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static char mcfg_oem_id[ACPI_OEM_ID_SIZE];
static char mcfg_oem_table_id[ACPI_OEM_TABLE_ID_SIZE];
static u32 mcfg_oem_revision;
static int pci_mcfg_quirk_matches(struct mcfg_fixup *f, u16 segment,
struct resource *bus_range)
{
Reported by FlawFinder.
Line: 296
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_PCI_QUIRKS
/* Save MCFG IDs and revision for quirks matching */
memcpy(mcfg_oem_id, header->oem_id, ACPI_OEM_ID_SIZE);
memcpy(mcfg_oem_table_id, header->oem_table_id, ACPI_OEM_TABLE_ID_SIZE);
mcfg_oem_revision = header->oem_revision;
#endif
pr_info("MCFG table detected, %d entries\n", n);
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_PCI_QUIRKS
/* Save MCFG IDs and revision for quirks matching */
memcpy(mcfg_oem_id, header->oem_id, ACPI_OEM_ID_SIZE);
memcpy(mcfg_oem_table_id, header->oem_table_id, ACPI_OEM_TABLE_ID_SIZE);
mcfg_oem_revision = header->oem_revision;
#endif
pr_info("MCFG table detected, %d entries\n", n);
return 0;
Reported by FlawFinder.
drivers/acpi/pci_irq.c
6 issues
Line: 80
Column: 30
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
};
struct prt_quirk {
const struct dmi_system_id *system;
unsigned int segment;
unsigned int bus;
unsigned int device;
unsigned char pin;
const char *source; /* according to BIOS */
Reported by FlawFinder.
Line: 118
Column: 31
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
quirk = &prt_quirks[i];
/* All current quirks involve link devices, not GSIs */
if (dmi_check_system(quirk->system) &&
entry->id.segment == quirk->segment &&
entry->id.bus == quirk->bus &&
entry->id.device == quirk->device &&
entry->pin == quirk->pin &&
!strcmp(prt->source, quirk->source) &&
Reported by FlawFinder.
Line: 131
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
entry->id.segment, entry->id.bus,
entry->id.device, pin_name(entry->pin),
prt->source, quirk->actual_source);
strcpy(prt->source, quirk->actual_source);
}
}
}
static int acpi_pci_irq_check_entry(acpi_handle handle, struct pci_dev *dev,
Reported by FlawFinder.
Line: 399
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int polarity = acpi_irq_model == ACPI_IRQ_MODEL_GIC ?
ACPI_ACTIVE_HIGH : ACPI_ACTIVE_LOW;
char *link = NULL;
char link_desc[16];
int rc;
pin = dev->pin;
if (!pin) {
dev_dbg(&dev->dev, "No interrupt pin configured\n");
Reported by FlawFinder.
Line: 124
Column: 7
CWE codes:
126
entry->id.device == quirk->device &&
entry->pin == quirk->pin &&
!strcmp(prt->source, quirk->source) &&
strlen(prt->source) >= strlen(quirk->actual_source)) {
pr_warn("Firmware reports "
"%04x:%02x:%02x PCI INT %c connected to %s; "
"changing to %s\n",
entry->id.segment, entry->id.bus,
entry->id.device, pin_name(entry->pin),
Reported by FlawFinder.
Line: 124
Column: 30
CWE codes:
126
entry->id.device == quirk->device &&
entry->pin == quirk->pin &&
!strcmp(prt->source, quirk->source) &&
strlen(prt->source) >= strlen(quirk->actual_source)) {
pr_warn("Firmware reports "
"%04x:%02x:%02x PCI INT %c connected to %s; "
"changing to %s\n",
entry->id.segment, entry->id.bus,
entry->id.device, pin_name(entry->pin),
Reported by FlawFinder.
drivers/block/virtio_blk.c
6 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct virtio_blk_vq {
struct virtqueue *vq;
spinlock_t lock;
char name[VQ_NAME_LEN];
} ____cacheline_aligned_in_smp;
struct virtio_blk {
/*
* This mutex must be held by anything that may run after
Reported by FlawFinder.
Line: 446
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct virtio_device *vdev = vblk->vdev;
struct request_queue *q = vblk->disk->queue;
char cap_str_2[10], cap_str_10[10];
unsigned long long nblocks;
u64 capacity;
/* Host must always specify the capacity. */
virtio_cread(vdev, struct virtio_blk_config, capacity, &capacity);
Reported by FlawFinder.
Line: 567
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} while (index >= 0);
memmove(begin, p, end - p);
memcpy(buf, prefix, strlen(prefix));
return 0;
}
static int virtblk_get_cache_mode(struct virtio_device *vdev)
Reported by FlawFinder.
Line: 431
Column: 10
CWE codes:
126
buf[VIRTIO_BLK_ID_BYTES] = '\0';
err = virtblk_get_id(disk, buf);
if (!err)
return strlen(buf);
if (err == -EIO) /* Unsupported? Make it empty. */
return 0;
return err;
Reported by FlawFinder.
Line: 551
Column: 22
CWE codes:
126
static int virtblk_name_format(char *prefix, int index, char *buf, int buflen)
{
const int base = 'z' - 'a' + 1;
char *begin = buf + strlen(prefix);
char *end = buf + buflen;
char *p;
int unit;
p = end - 1;
Reported by FlawFinder.
Line: 567
Column: 22
CWE codes:
126
} while (index >= 0);
memmove(begin, p, end - p);
memcpy(buf, prefix, strlen(prefix));
return 0;
}
static int virtblk_get_cache_mode(struct virtio_device *vdev)
Reported by FlawFinder.
drivers/crypto/bcm/spu2.c
6 issues
Line: 1038
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Use hashing (only) and set up hash key */
spu2_ciph_type = SPU2_CIPHER_TYPE_NONE;
hash_parms->key_len = cipher_parms->key_len;
memcpy(hash_parms->key_buf, cipher_parms->key_buf,
cipher_parms->key_len);
cipher_parms->key_len = 0;
if (req_opts->is_rfc4543)
payload_len += assoc_size;
Reported by FlawFinder.
Line: 1092
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write OMD */
if (hash_parms->key_len) {
memcpy(ptr, hash_parms->key_buf, hash_parms->key_len);
ptr += hash_parms->key_len;
buf_len += hash_parms->key_len;
}
if (cipher_parms->key_len) {
memcpy(ptr, cipher_parms->key_buf, cipher_parms->key_len);
Reported by FlawFinder.
Line: 1097
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf_len += hash_parms->key_len;
}
if (cipher_parms->key_len) {
memcpy(ptr, cipher_parms->key_buf, cipher_parms->key_len);
ptr += cipher_parms->key_len;
buf_len += cipher_parms->key_len;
}
if (cipher_parms->iv_len) {
memcpy(ptr, cipher_parms->iv_buf, cipher_parms->iv_len);
Reported by FlawFinder.
Line: 1102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf_len += cipher_parms->key_len;
}
if (cipher_parms->iv_len) {
memcpy(ptr, cipher_parms->iv_buf, cipher_parms->iv_len);
ptr += cipher_parms->iv_len;
buf_len += cipher_parms->iv_len;
}
packet_dump(" SPU request header: ", spu_hdr, buf_len);
Reported by FlawFinder.
Line: 1161
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Write cipher key to OMD */
omd = (u8 *)(fmd + 1);
if (cipher_parms->key_buf && cipher_parms->key_len)
memcpy(omd, cipher_parms->key_buf, cipher_parms->key_len);
packet_dump(" SPU request header: ", spu_hdr,
FMD_SIZE + cipher_parms->key_len + cipher_parms->iv_len);
return FMD_SIZE + cipher_parms->key_len + cipher_parms->iv_len;
Reported by FlawFinder.
Line: 1217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cipher_parms->alg && cipher_parms->iv_buf && cipher_parms->iv_len) {
/* cipher iv provided so put it in here */
memcpy(omd + cipher_parms->key_len, cipher_parms->iv_buf,
cipher_parms->iv_len);
}
ctrl3 = le64_to_cpu(fmd->ctrl3);
data_size &= SPU2_PL_LEN;
Reported by FlawFinder.
drivers/mtd/devices/pmc551.c
6 issues
Line: 248
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (soff_hi == eoff_hi) {
/* The whole thing fits within one access, so just one shot
will do it. */
memcpy(copyto, ptr, len);
copyto += len;
} else {
/* We have to do multiple writes to get all the data
written. */
while (soff_hi != eoff_hi) {
Reported by FlawFinder.
Line: 258
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
printk(KERN_DEBUG "pmc551_read() soff_hi: %ld, "
"eoff_hi: %ld\n", (long)soff_hi, (long)eoff_hi);
#endif
memcpy(copyto, ptr, priv->asize);
copyto += priv->asize;
if (soff_hi + priv->asize >= mtd->size) {
goto out;
}
soff_hi += priv->asize;
Reported by FlawFinder.
Line: 267
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pmc551_point(mtd, soff_hi, priv->asize, retlen,
(void **)&ptr, NULL);
}
memcpy(copyto, ptr, eoff_lo);
copyto += eoff_lo;
}
out:
#ifdef CONFIG_MTD_PMC551_DEBUG
Reported by FlawFinder.
Line: 304
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (soff_hi == eoff_hi) {
/* The whole thing fits within one access, so just one shot
will do it. */
memcpy(ptr, copyfrom, len);
copyfrom += len;
} else {
/* We have to do multiple writes to get all the data
written. */
while (soff_hi != eoff_hi) {
Reported by FlawFinder.
Line: 314
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
printk(KERN_DEBUG "pmc551_write() soff_hi: %ld, "
"eoff_hi: %ld\n", (long)soff_hi, (long)eoff_hi);
#endif
memcpy(ptr, copyfrom, priv->asize);
copyfrom += priv->asize;
if (soff_hi >= mtd->size) {
goto out;
}
soff_hi += priv->asize;
Reported by FlawFinder.
Line: 323
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pmc551_point(mtd, soff_hi, priv->asize, retlen,
(void **)&ptr, NULL);
}
memcpy(ptr, copyfrom, eoff_lo);
copyfrom += eoff_lo;
}
out:
#ifdef CONFIG_MTD_PMC551_DEBUG
Reported by FlawFinder.