The following issues were found
drivers/mmc/host/meson-gx-mmc.c
6 issues
Line: 420
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk_init_data init;
struct clk_mux *mux;
struct clk_divider *div;
char clk_name[32];
int i, ret = 0;
const char *mux_parent_names[MUX_CLK_NUM_PARENTS];
const char *clk_parent[1];
u32 clk_reg;
Reported by FlawFinder.
Line: 422
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct clk_divider *div;
char clk_name[32];
int i, ret = 0;
const char *mux_parent_names[MUX_CLK_NUM_PARENTS];
const char *clk_parent[1];
u32 clk_reg;
/* init SD_EMMC_CLOCK to sane defaults w/min clock rate */
clk_reg = CLK_ALWAYS_ON(host);
Reported by FlawFinder.
Line: 423
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char clk_name[32];
int i, ret = 0;
const char *mux_parent_names[MUX_CLK_NUM_PARENTS];
const char *clk_parent[1];
u32 clk_reg;
/* init SD_EMMC_CLOCK to sane defaults w/min clock rate */
clk_reg = CLK_ALWAYS_ON(host);
clk_reg |= CLK_DIV_MASK;
Reported by FlawFinder.
Line: 437
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* get the mux parents */
for (i = 0; i < MUX_CLK_NUM_PARENTS; i++) {
struct clk *clk;
char name[16];
snprintf(name, sizeof(name), "clkin%d", i);
clk = devm_clk_get(host->dev, name);
if (IS_ERR(clk))
return dev_err_probe(host->dev, PTR_ERR(clk),
Reported by FlawFinder.
Line: 779
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy_fromio(miter.addr, host->bounce_iomem_buf + offset, len);
} else {
if (to_buffer)
memcpy(host->bounce_buf + offset, miter.addr, len);
else
memcpy(miter.addr, host->bounce_buf + offset, len);
}
offset += len;
Reported by FlawFinder.
Line: 781
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (to_buffer)
memcpy(host->bounce_buf + offset, miter.addr, len);
else
memcpy(miter.addr, host->bounce_buf + offset, len);
}
offset += len;
}
Reported by FlawFinder.
drivers/mmc/core/block.c
6 issues
Line: 601
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (idata->ic.postsleep_min_us)
usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
memcpy(&(idata->ic.response), cmd.resp, sizeof(cmd.resp));
if (idata->rpmb || (cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B) {
/*
* Ensure RPMB/R1B command has completed by polling CMD13
* "Send Status".
Reported by FlawFinder.
Line: 2296
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct mmc_blk_data *md;
int devidx, ret;
char cap_str[10];
devidx = ida_simple_get(&mmc_blk_ida, 0, max_devices, GFP_KERNEL);
if (devidx < 0) {
/*
* We get -ENOSPC because there are no more any available
Reported by FlawFinder.
Line: 2534
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *subname)
{
int devidx, ret;
char rpmb_name[DISK_NAME_LEN];
char cap_str[10];
struct mmc_rpmb_data *rpmb;
/* This creates the minor number for the RPMB char device */
devidx = ida_simple_get(&mmc_rpmb_ida, 0, max_devices, GFP_KERNEL);
Reported by FlawFinder.
Line: 2535
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int devidx, ret;
char rpmb_name[DISK_NAME_LEN];
char cap_str[10];
struct mmc_rpmb_data *rpmb;
/* This creates the minor number for the RPMB char device */
devidx = ida_simple_get(&mmc_rpmb_ida, 0, max_devices, GFP_KERNEL);
if (devidx < 0)
Reported by FlawFinder.
Line: 2790
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (i = 0; i < 512; i++)
n += sprintf(buf + n, "%02x", ext_csd[i]);
n += sprintf(buf + n, "\n");
if (n != EXT_CSD_STR_LEN) {
err = -EINVAL;
kfree(ext_csd);
Reported by FlawFinder.
Line: 2791
Column: 7
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < 512; i++)
n += sprintf(buf + n, "%02x", ext_csd[i]);
n += sprintf(buf + n, "\n");
if (n != EXT_CSD_STR_LEN) {
err = -EINVAL;
kfree(ext_csd);
goto out_free;
Reported by FlawFinder.
drivers/media/pci/ngene/ngene-i2c.c
6 issues
Line: 39
CWE codes:
476
com.cmd.hdr.Opcode = CMD_I2C_READ;
com.cmd.hdr.Length = outlen + 3;
com.cmd.I2CRead.Device = adr << 1;
memcpy(com.cmd.I2CRead.Data, out, outlen);
com.cmd.I2CRead.Data[outlen] = inlen;
com.cmd.I2CRead.Data[outlen + 1] = 0;
com.in_len = outlen + 3;
com.out_len = inlen + 1;
Reported by Cppcheck.
Line: 39
CWE codes:
476
com.cmd.hdr.Opcode = CMD_I2C_READ;
com.cmd.hdr.Length = outlen + 3;
com.cmd.I2CRead.Device = adr << 1;
memcpy(com.cmd.I2CRead.Data, out, outlen);
com.cmd.I2CRead.Data[outlen] = inlen;
com.cmd.I2CRead.Data[outlen + 1] = 0;
com.in_len = outlen + 3;
com.out_len = inlen + 1;
Reported by Cppcheck.
Line: 39
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
com.cmd.hdr.Opcode = CMD_I2C_READ;
com.cmd.hdr.Length = outlen + 3;
com.cmd.I2CRead.Device = adr << 1;
memcpy(com.cmd.I2CRead.Data, out, outlen);
com.cmd.I2CRead.Data[outlen] = inlen;
com.cmd.I2CRead.Data[outlen + 1] = 0;
com.in_len = outlen + 3;
com.out_len = inlen + 1;
Reported by FlawFinder.
Line: 52
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EIO;
if (flag)
memcpy(in, com.cmd.raw8, inlen + 1);
else
memcpy(in, com.cmd.raw8 + 1, inlen);
return 0;
}
Reported by FlawFinder.
Line: 54
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flag)
memcpy(in, com.cmd.raw8, inlen + 1);
else
memcpy(in, com.cmd.raw8 + 1, inlen);
return 0;
}
static int ngene_command_i2c_write(struct ngene *dev, u8 adr,
u8 *out, u8 outlen)
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
com.cmd.hdr.Opcode = CMD_I2C_WRITE;
com.cmd.hdr.Length = outlen + 1;
com.cmd.I2CRead.Device = adr << 1;
memcpy(com.cmd.I2CRead.Data, out, outlen);
com.in_len = outlen + 1;
com.out_len = 1;
if (ngene_command(dev, &com) < 0)
return -EIO;
Reported by FlawFinder.
drivers/misc/uacce/uacce.c
6 issues
Line: 292
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct uacce_device *uacce = to_uacce_device(dev);
return sprintf(buf, "%s\n", uacce->api_ver);
}
static ssize_t flags_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 321
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct uacce_device *uacce = to_uacce_device(dev);
return sprintf(buf, "%s\n", uacce->algs);
}
static ssize_t region_mmio_size_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 300
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct uacce_device *uacce = to_uacce_device(dev);
return sprintf(buf, "%u\n", uacce->flags);
}
static ssize_t available_instances_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 312
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!uacce->ops->get_available_instances)
return -ENODEV;
return sprintf(buf, "%d\n",
uacce->ops->get_available_instances(uacce));
}
static ssize_t algorithms_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 329
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct uacce_device *uacce = to_uacce_device(dev);
return sprintf(buf, "%lu\n",
uacce->qf_pg_num[UACCE_QFRT_MMIO] << PAGE_SHIFT);
}
static ssize_t region_dus_size_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 338
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct uacce_device *uacce = to_uacce_device(dev);
return sprintf(buf, "%lu\n",
uacce->qf_pg_num[UACCE_QFRT_DUS] << PAGE_SHIFT);
}
static DEVICE_ATTR_RO(api);
static DEVICE_ATTR_RO(flags);
Reported by FlawFinder.
drivers/misc/mei/main.c
6 issues
Line: 1100
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev_state = dev->dev_state;
mutex_unlock(&dev->device_lock);
return sprintf(buf, "%s", mei_dev_state_str(dev_state));
}
static DEVICE_ATTR_RO(dev_state);
/**
* mei_set_devstate: set to new device state and notify sysfs file.
Reported by FlawFinder.
Line: 1142
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t ret;
if (dev->kind)
ret = sprintf(buf, "%s\n", dev->kind);
else
ret = sprintf(buf, "%s\n", "mei");
return ret;
}
Reported by FlawFinder.
Line: 1144
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (dev->kind)
ret = sprintf(buf, "%s\n", dev->kind);
else
ret = sprintf(buf, "%s\n", "mei");
return ret;
}
static DEVICE_ATTR_RO(kind);
Reported by FlawFinder.
Line: 942
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ret = mei_trc_status(dev, &trc);
if (ret)
return ret;
return sprintf(buf, "%08X\n", trc);
}
static DEVICE_ATTR_RO(trc);
/**
* fw_status_show - mei device fw_status attribute show method
Reported by FlawFinder.
Line: 997
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ver = dev->version;
mutex_unlock(&dev->device_lock);
return sprintf(buf, "%u.%u\n", ver.major_version, ver.minor_version);
}
static DEVICE_ATTR_RO(hbm_ver);
/**
* hbm_ver_drv_show - display HBM protocol version advertised by driver
Reported by FlawFinder.
Line: 1013
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t hbm_ver_drv_show(struct device *device,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%u.%u\n", HBM_MAJOR_VERSION, HBM_MINOR_VERSION);
}
static DEVICE_ATTR_RO(hbm_ver_drv);
static ssize_t tx_queue_limit_show(struct device *device,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
drivers/misc/habanalabs/include/common/hl_boot_if.h
6 issues
Line: 388
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lkd_fw_comms_desc {
struct comms_desc_header header;
struct cpu_dyn_regs cpu_dyn_regs;
char fuse_ver[VERSION_MAX_LEN];
char cur_fw_ver[VERSION_MAX_LEN];
/* can be used for 1 more version w/o ABI change */
char reserved0[VERSION_MAX_LEN];
__le64 img_addr; /* address for next FW component load */
};
Reported by FlawFinder.
Line: 389
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct comms_desc_header header;
struct cpu_dyn_regs cpu_dyn_regs;
char fuse_ver[VERSION_MAX_LEN];
char cur_fw_ver[VERSION_MAX_LEN];
/* can be used for 1 more version w/o ABI change */
char reserved0[VERSION_MAX_LEN];
__le64 img_addr; /* address for next FW component load */
};
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char fuse_ver[VERSION_MAX_LEN];
char cur_fw_ver[VERSION_MAX_LEN];
/* can be used for 1 more version w/o ABI change */
char reserved0[VERSION_MAX_LEN];
__le64 img_addr; /* address for next FW component load */
};
enum comms_reset_cause {
HL_RESET_CAUSE_UNKNOWN = 0,
Reported by FlawFinder.
Line: 411
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union {
struct {
struct cpu_dyn_regs cpu_dyn_regs;
char fuse_ver[VERSION_MAX_LEN];
char cur_fw_ver[VERSION_MAX_LEN];
/* can be used for 1 more version w/o ABI change */
char reserved0[VERSION_MAX_LEN];
/* address for next FW component load */
__le64 img_addr;
Reported by FlawFinder.
Line: 412
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct {
struct cpu_dyn_regs cpu_dyn_regs;
char fuse_ver[VERSION_MAX_LEN];
char cur_fw_ver[VERSION_MAX_LEN];
/* can be used for 1 more version w/o ABI change */
char reserved0[VERSION_MAX_LEN];
/* address for next FW component load */
__le64 img_addr;
};
Reported by FlawFinder.
Line: 414
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char fuse_ver[VERSION_MAX_LEN];
char cur_fw_ver[VERSION_MAX_LEN];
/* can be used for 1 more version w/o ABI change */
char reserved0[VERSION_MAX_LEN];
/* address for next FW component load */
__le64 img_addr;
};
struct {
__u8 reset_cause;
Reported by FlawFinder.
drivers/misc/habanalabs/common/firmware_if.c
6 issues
Line: 228
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(pkt, msg, len);
mutex_lock(&hdev->send_cpu_message_lock);
if (hdev->disabled)
goto out;
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
pkt->length = cpu_to_le32(irq_arr_size / sizeof(irq_arr[0]));
memcpy(&pkt->irqs, irq_arr, irq_arr_size);
pkt->cpucp_pkt.ctl = cpu_to_le32(CPUCP_PACKET_UNMASK_RAZWI_IRQ_ARRAY <<
CPUCP_PKT_CTL_OPCODE_SHIFT);
rc = hdev->asic_funcs->send_cpu_message(hdev, (u32 *) pkt,
Reported by FlawFinder.
Line: 790
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* result contains the actual size */
memcpy(data, eeprom_info_cpu_addr, min((size_t)result, max_size));
out:
hdev->asic_funcs->cpu_accessible_dma_pool_free(hdev, max_size,
eeprom_info_cpu_addr);
Reported by FlawFinder.
Line: 1154
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *dest, *boot_ver, *preboot_ver;
u32 ver_off, limit;
const char *name;
char btl_ver[32];
static_loader = &hdev->fw_loader.static_loader;
switch (fwc) {
case FW_COMP_BOOT_FIT:
Reported by FlawFinder.
Line: 1312
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* associate string with COMM status */
static char *hl_dynamic_fw_status_str[COMMS_STS_INVLD_LAST] = {
[COMMS_STS_NOOP] = "NOOP",
[COMMS_STS_ACK] = "ACK",
[COMMS_STS_OK] = "OK",
[COMMS_STS_ERR] = "ERR",
[COMMS_STS_VALID_ERR] = "VALID_ERR",
Reported by FlawFinder.
Line: 1801
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct asic_fixed_properties *prop = &hdev->asic_prop;
char *preboot_ver, *boot_ver;
char btl_ver[32];
switch (fwc) {
case FW_COMP_BOOT_FIT:
strscpy(prop->uboot_ver, fw_version, VERSION_MAX_LEN);
boot_ver = extract_fw_ver_from_str(prop->uboot_ver);
Reported by FlawFinder.
drivers/media/platform/coda/coda-bit.c
6 issues
Line: 666
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (dev->devtype->product == CODA_960) {
for (i = 63; i > 0; i--)
if (((char *)vb2_plane_vaddr(vb, 0))[i] != 0)
break;
*size = i + 1;
} else {
*size = coda_read(dev, CODA_REG_BIT_WR_PTR(ctx->reg_idx)) -
coda_read(dev, CODA_CMD_ENC_HEADER_BB_START);
Reported by FlawFinder.
Line: 673
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*size = coda_read(dev, CODA_REG_BIT_WR_PTR(ctx->reg_idx)) -
coda_read(dev, CODA_CMD_ENC_HEADER_BB_START);
}
memcpy(header, vb2_plane_vaddr(vb, 0), *size);
return 0;
}
static u32 coda_slice_mode(struct coda_ctx *ctx)
Reported by FlawFinder.
Line: 1536
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->vpu_header_size[0] -
ctx->vpu_header_size[1] -
ctx->vpu_header_size[2];
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0),
&ctx->vpu_header[0][0], ctx->vpu_header_size[0]);
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0)
+ ctx->vpu_header_size[0], &ctx->vpu_header[1][0],
ctx->vpu_header_size[1]);
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0)
Reported by FlawFinder.
Line: 1538
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->vpu_header_size[2];
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0),
&ctx->vpu_header[0][0], ctx->vpu_header_size[0]);
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0)
+ ctx->vpu_header_size[0], &ctx->vpu_header[1][0],
ctx->vpu_header_size[1]);
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0)
+ ctx->vpu_header_size[0] + ctx->vpu_header_size[1],
&ctx->vpu_header[2][0], ctx->vpu_header_size[2]);
Reported by FlawFinder.
Line: 1541
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0)
+ ctx->vpu_header_size[0], &ctx->vpu_header[1][0],
ctx->vpu_header_size[1]);
memcpy(vb2_plane_vaddr(&dst_buf->vb2_buf, 0)
+ ctx->vpu_header_size[0] + ctx->vpu_header_size[1],
&ctx->vpu_header[2][0], ctx->vpu_header_size[2]);
} else {
pic_stream_buffer_addr =
vb2_dma_contig_plane_dma_addr(&dst_buf->vb2_buf, 0);
Reported by FlawFinder.
Line: 2259
Column: 20
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* If this is the last buffer in the bitstream, add padding */
if (meta->end == ctx->bitstream_fifo.kfifo.in) {
static unsigned char buf[512];
unsigned int pad;
/* Pad to multiple of 256 and then add 256 more */
pad = ((0 - meta->end) & 0xff) + 256;
Reported by FlawFinder.
drivers/misc/bcm-vk/bcm_vk.h
6 issues
Line: 286
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bcm_vk_card_info {
u32 version;
char os_tag[MAX_CARD_INFO_TAG_SIZE];
char cmpt_tag[MAX_CARD_INFO_TAG_SIZE];
u32 cpu_freq_mhz;
u32 cpu_scale[MAX_OPP];
u32 ddr_freq_mhz;
u32 ddr_size_MB;
Reported by FlawFinder.
Line: 287
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bcm_vk_card_info {
u32 version;
char os_tag[MAX_CARD_INFO_TAG_SIZE];
char cmpt_tag[MAX_CARD_INFO_TAG_SIZE];
u32 cpu_freq_mhz;
u32 cpu_scale[MAX_OPP];
u32 ddr_freq_mhz;
u32 ddr_size_MB;
u32 video_core_freq_mhz;
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* DAUTH related info */
struct bcm_vk_dauth_key {
char store[VK_BAR1_DAUTH_STORE_SIZE];
char valid[VK_BAR1_DAUTH_VALID_SIZE];
};
struct bcm_vk_dauth_info {
struct bcm_vk_dauth_key keys[VK_BAR1_DAUTH_MAX];
Reported by FlawFinder.
Line: 298
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* DAUTH related info */
struct bcm_vk_dauth_key {
char store[VK_BAR1_DAUTH_STORE_SIZE];
char valid[VK_BAR1_DAUTH_VALID_SIZE];
};
struct bcm_vk_dauth_info {
struct bcm_vk_dauth_key keys[VK_BAR1_DAUTH_MAX];
};
Reported by FlawFinder.
Line: 314
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 wr_idx;
u32 buf_size;
u32 mask;
char data[0];
};
/* max buf size allowed */
#define BCM_VK_PEER_LOG_BUF_MAX SZ_16K
/* max size per line of peer log */
Reported by FlawFinder.
Line: 327
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
#define BCM_VK_PROC_TYPE_TAG_LEN 8
struct bcm_vk_proc_mon_entry_t {
char tag[BCM_VK_PROC_TYPE_TAG_LEN];
u32 used;
u32 max; /**< max capacity */
};
/**
Reported by FlawFinder.
drivers/mfd/ipaq-micro.c
6 issues
Line: 98
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (micro->msg && micro->msg->id == id) {
struct ipaq_micro_msg *msg = micro->msg;
memcpy(msg->rx_data, data, len);
msg->rx_len = len;
complete(µ->msg->ack);
if (!list_empty(µ->queue)) {
micro->msg = list_entry(micro->queue.next,
struct ipaq_micro_msg,
Reported by FlawFinder.
Line: 196
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ipaq_micro_tx_msg_sync(micro, &msg);
if (msg.rx_len == 4) {
memcpy(micro->version, msg.rx_data, 4);
micro->version[4] = '\0';
} else if (msg.rx_len == 9) {
memcpy(micro->version, msg.rx_data, 4);
micro->version[4] = '\0';
/* Bytes 4-7 are "pack", byte 8 is "boot type" */
Reported by FlawFinder.
Line: 199
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(micro->version, msg.rx_data, 4);
micro->version[4] = '\0';
} else if (msg.rx_len == 9) {
memcpy(micro->version, msg.rx_data, 4);
micro->version[4] = '\0';
/* Bytes 4-7 are "pack", byte 8 is "boot type" */
} else {
dev_err(micro->dev,
"illegal version message %d bytes\n", msg.rx_len);
Reported by FlawFinder.
Line: 221
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg.tx_data[1] = 1;
msg.tx_len = 2;
ipaq_micro_tx_msg_sync(micro, &msg);
memcpy(data + (i * 2), msg.rx_data, 2);
}
}
static char *ipaq_micro_str(u8 *wchar, u8 len)
{
Reported by FlawFinder.
Line: 227
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *ipaq_micro_str(u8 *wchar, u8 len)
{
char retstr[256];
u8 i;
for (i = 0; i < len / 2; i++)
retstr[i] = wchar[i * 2];
return kstrdup(retstr, GFP_KERNEL);
Reported by FlawFinder.
Line: 255
Column: 30
CWE codes:
126
if (str) {
dev_info(micro->dev, "serial number: %s\n", str);
/* Feed the random pool with this */
add_device_randomness(str, strlen(str));
kfree(str);
}
str = ipaq_micro_str(dump+50, 20);
if (str) {
dev_info(micro->dev, "module ID: %s\n", str);
Reported by FlawFinder.