The following issues were found
drivers/scsi/esas2r/esas2r_vda.c
6 issues
Line: 115
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rq->vrq->flash.length = cpu_to_le32(datalen);
rq->vrq->flash.sub_func = vi->cmd.flash.sub_func;
memcpy(rq->vrq->flash.data.file.file_name,
vi->cmd.flash.data.file.file_name,
sizeof(vi->cmd.flash.data.file.file_name));
firstsg = rq->vrq->flash.data.file.sge;
break;
Reported by FlawFinder.
Line: 224
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rq->vrq->cfg.length = cpu_to_le32(vi->cmd.cfg.data_length);
if (vi->cmd.cfg.cfg_func == VDA_CFG_GET_INIT) {
memcpy(&rq->vrq->cfg.data,
&vi->cmd.cfg.data,
vi->cmd.cfg.data_length);
esas2r_nuxi_cfg_data(rq->vrq->cfg.sub_func,
&rq->vrq->cfg.data);
Reported by FlawFinder.
Line: 242
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vi->cmd.gsv.rsp_len = vercnt;
memcpy(vi->cmd.gsv.version_info, esas2r_vdaioctl_versions,
vercnt);
vi->vda_status = RS_SUCCESS;
break;
Reported by FlawFinder.
Line: 305
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (vi->cmd.cfg.cfg_func == VDA_CFG_GET_INIT) {
struct atto_ioctl_vda_cfg_cmd *cfg = &vi->cmd.cfg;
struct atto_vda_cfg_rsp *rsp = &rq->func_rsp.cfg_rsp;
char buf[sizeof(cfg->data.init.fw_release) + 1];
cfg->data_length =
cpu_to_le32(sizeof(struct atto_vda_cfg_init));
cfg->data.init.vda_version =
le32_to_cpu(rsp->vda_version);
Reported by FlawFinder.
Line: 414
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data) {
esas2r_nuxi_mgt_data(sub_func, data);
memcpy(&rq->vda_rsp_data->mgt_data.data.bytes[0], data,
length);
}
}
/* Build a VDA asyncronous event (AE) request. */
Reported by FlawFinder.
Line: 500
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data) {
esas2r_nuxi_cfg_data(sub_func, data);
memcpy(&vrq->data, data, length);
}
}
static void clear_vda_request(struct esas2r_request *rq)
{
Reported by FlawFinder.
drivers/scsi/esas2r/esas2r_log.c
6 issues
Line: 147
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
*/
if (dev == NULL) {
snprintf(buffer, buflen, fmt_nodev, slevel,
ESAS2R_DRVR_NAME);
} else {
snprintf(buffer, buflen, fmt_dev, slevel,
ESAS2R_DRVR_NAME,
(dev->driver ? dev->driver->name : "unknown"),
Reported by FlawFinder.
Line: 150
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
snprintf(buffer, buflen, fmt_nodev, slevel,
ESAS2R_DRVR_NAME);
} else {
snprintf(buffer, buflen, fmt_dev, slevel,
ESAS2R_DRVR_NAME,
(dev->driver ? dev->driver->name : "unknown"),
(dev->bus ? dev->bus->name : "unknown"),
dev_name(dev));
}
Reported by FlawFinder.
Line: 160
Column: 12
CWE codes:
134
Suggestion:
Use a constant for the format specification
buffer += strlen(event_buffer);
buflen -= strlen(event_buffer);
retval = vsnprintf(buffer, buflen, format, args);
if (retval < 0) {
spin_unlock_irqrestore(&event_buffer_lock, flags);
return -1;
}
Reported by FlawFinder.
Line: 73
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
"Specifies the level of events to report to the system log. Critical and warning level events are logged by default.");
/* A shared buffer to use for formatting messages. */
static char event_buffer[EVENT_LOG_BUFF_SIZE];
/* A lock to protect the shared buffer used for formatting messages. */
static DEFINE_SPINLOCK(event_buffer_lock);
/*
Reported by FlawFinder.
Line: 157
Column: 13
CWE codes:
126
dev_name(dev));
}
buffer += strlen(event_buffer);
buflen -= strlen(event_buffer);
retval = vsnprintf(buffer, buflen, format, args);
if (retval < 0) {
spin_unlock_irqrestore(&event_buffer_lock, flags);
Reported by FlawFinder.
Line: 158
Column: 13
CWE codes:
126
}
buffer += strlen(event_buffer);
buflen -= strlen(event_buffer);
retval = vsnprintf(buffer, buflen, format, args);
if (retval < 0) {
spin_unlock_irqrestore(&event_buffer_lock, flags);
return -1;
Reported by FlawFinder.
drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.h
6 issues
Line: 61
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* root node property "ibm,partition-no" */
uint partition_num;
char partition_name[PARTITION_NAMELEN];
};
#define MAX_NUM_PORTS 1
#define MAX_H_COPY_RDMA (128 * 1024)
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct client_info {
#define SRP_VERSION "16.a"
char srp_version[8];
/* root node property ibm,partition-name */
char partition_name[PARTITION_NAMELEN];
/* root node property ibm,partition-no */
u32 partition_number;
/* initially 1 */
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define SRP_VERSION "16.a"
char srp_version[8];
/* root node property ibm,partition-name */
char partition_name[PARTITION_NAMELEN];
/* root node property ibm,partition-no */
u32 partition_number;
/* initially 1 */
u32 mad_version;
u32 os_type;
Reported by FlawFinder.
Line: 164
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scsi_info *adapter;
struct ibmvscsis_cmd *abort_cmd;
/* Sense buffer that will be mapped into outgoing status */
unsigned char sense_buf[TRANSPORT_SENSE_BUFFER];
u64 init_time;
#define CMD_FAST_FAIL BIT(0)
#define DELAY_SEND BIT(1)
u32 flags;
char type;
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* SCSI protocol the tport is providing */
u8 tport_proto_id;
/* ASCII formatted WWPN for SRP Target port */
char tport_name[IBMVSCSIS_NAMELEN];
/* Returned by ibmvscsis_make_tport() */
struct se_wwn tport_wwn;
/* Returned by ibmvscsis_make_tpg() */
struct se_portal_group se_tpg;
/* ibmvscsis port target portal group tag for TCM */
Reported by FlawFinder.
Line: 195
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scsi_info {
struct list_head list;
char eye[MAX_EYE];
/* commands waiting for space on repsonse queue */
struct list_head waiting_rsp;
#define NO_QUEUE 0x00
#define WAIT_ENABLED 0X01
Reported by FlawFinder.
drivers/rtc/rtc-ds1343.c
6 issues
Line: 183
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
}
return sprintf(buf, "%s %s\n", diodes, resistors);
}
static DEVICE_ATTR(trickle_charger, S_IRUGO, ds1343_show_tricklecharger, NULL);
static struct attribute *ds1343_attrs[] = {
Reported by FlawFinder.
Line: 97
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
glitch_filt_status = !!(data & DS1343_EGFIL);
if (glitch_filt_status)
return sprintf(buf, "enabled\n");
else
return sprintf(buf, "disabled\n");
}
static ssize_t ds1343_store_glitchfilter(struct device *dev,
Reported by FlawFinder.
Line: 99
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (glitch_filt_status)
return sprintf(buf, "enabled\n");
else
return sprintf(buf, "disabled\n");
}
static ssize_t ds1343_store_glitchfilter(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 201
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ds1343_read_time(struct device *dev, struct rtc_time *dt)
{
struct ds1343_priv *priv = dev_get_drvdata(dev);
unsigned char buf[7];
int res;
res = regmap_bulk_read(priv->map, DS1343_SECONDS_REG, buf, 7);
if (res)
return res;
Reported by FlawFinder.
Line: 239
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ds1343_read_alarm(struct device *dev, struct rtc_wkalrm *alarm)
{
struct ds1343_priv *priv = dev_get_drvdata(dev);
unsigned char buf[4];
unsigned int val;
int res;
if (priv->irq <= 0)
return -EINVAL;
Reported by FlawFinder.
Line: 272
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ds1343_set_alarm(struct device *dev, struct rtc_wkalrm *alarm)
{
struct ds1343_priv *priv = dev_get_drvdata(dev);
unsigned char buf[4];
int res = 0;
if (priv->irq <= 0)
return -EINVAL;
Reported by FlawFinder.
drivers/net/wireless/st/cw1200/txrx.c
6 issues
Line: 1036
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(mgmt->u.action.category == WLAN_CATEGORY_PUBLIC)) {
pr_debug("[RX] Going to MAP&RESET link ID\n");
WARN_ON(work_pending(&priv->linkid_reset_work));
memcpy(&priv->action_frame_sa[0],
ieee80211_get_SA(frame), ETH_ALEN);
priv->action_linkid = 0;
schedule_work(&priv->linkid_reset_work);
}
Reported by FlawFinder.
Line: 1049
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Reset and Remap
*/
WARN_ON(work_pending(&priv->linkid_reset_work));
memcpy(&priv->action_frame_sa[0],
ieee80211_get_SA(frame), ETH_ALEN);
priv->action_linkid = link_id;
schedule_work(&priv->linkid_reset_work);
}
if (arg->status) {
Reported by FlawFinder.
Line: 1148
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Remove TSF from the end of frame */
if (arg->flags & WSM_RX_STATUS_TSF_INCLUDED) {
memcpy(&hdr->mactime, skb->data + skb->len - 8, 8);
hdr->mactime = le64_to_cpu(hdr->mactime);
if (skb->len >= 8)
skb_trim(skb, skb->len - 8);
} else {
hdr->mactime = 0;
Reported by FlawFinder.
Line: 1349
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cw1200_link_entry *entry = &priv->link_id_db[ret - 1];
pr_debug("[AP] STA added, link_id: %d\n", ret);
entry->status = CW1200_LINK_RESERVE;
memcpy(&entry->mac, mac, ETH_ALEN);
memset(&entry->buffered, 0, CW1200_MAX_TID);
skb_queue_head_init(&entry->rx_queue);
wsm_lock_tx_async(priv);
if (queue_work(priv->workqueue, &priv->link_id_work) <= 0)
wsm_unlock_tx(priv);
Reported by FlawFinder.
Line: 1409
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->link_id_map |= mask;
if (priv->link_id_db[i].status != CW1200_LINK_HARD)
priv->link_id_db[i].status = CW1200_LINK_SOFT;
memcpy(map_link.mac_addr, priv->link_id_db[i].mac,
ETH_ALEN);
spin_unlock_bh(&priv->ps_state_lock);
if (need_reset) {
reset.link_id = i + 1;
wsm_reset(priv, &reset);
Reported by FlawFinder.
Line: 1448
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_unlock_bh(&priv->ps_state_lock);
wsm_reset(priv, &reset);
if (status == CW1200_LINK_RESET_REMAP) {
memcpy(map_link.mac_addr,
priv->link_id_db[i].mac,
ETH_ALEN);
map_link.link_id = i + 1;
wsm_map_link(priv, &map_link);
next_gc = min(next_gc,
Reported by FlawFinder.
drivers/net/wireless/intersil/prism54/islpci_dev.c
6 issues
Line: 914
CWE codes:
476
islpci_state_t old_state;
/* lock */
old_state = priv->state;
/* this means either a race condition or some serious error in
* the driver code */
switch (new_state) {
case PRV_STATE_OFF:
Reported by Cppcheck.
Line: 880
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* select the firmware file depending on the device id */
switch (pdev->device) {
case 0x3877:
strcpy(priv->firmware, ISL3877_IMAGE_FILE);
break;
case 0x3886:
strcpy(priv->firmware, ISL3886_IMAGE_FILE);
break;
Reported by FlawFinder.
Line: 884
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
case 0x3886:
strcpy(priv->firmware, ISL3886_IMAGE_FILE);
break;
default:
strcpy(priv->firmware, ISL3890_IMAGE_FILE);
break;
Reported by FlawFinder.
Line: 888
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
default:
strcpy(priv->firmware, ISL3890_IMAGE_FILE);
break;
}
if (register_netdev(ndev)) {
DEBUG(SHOW_ERROR_MESSAGES,
Reported by FlawFinder.
Line: 47
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* Of course, this is not the final/real MAC address. It doesn't
* matter, as you are suppose to be able to change it anytime via
* ndev->set_mac_address. Jean II */
static const unsigned char dummy_mac[6] = { 0x00, 0x30, 0xB4, 0x00, 0x00, 0x00 };
static int
isl_upload_firmware(islpci_private *priv)
{
u32 reg, rc;
Reported by FlawFinder.
Line: 829
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* ndev->set_multicast_list = &islpci_set_multicast_list; */
ndev->addr_len = ETH_ALEN;
/* Get a non-zero dummy MAC address for nameif. Jean II */
memcpy(ndev->dev_addr, dummy_mac, ETH_ALEN);
ndev->watchdog_timeo = ISLPCI_TX_TIMEOUT;
/* allocate a private device structure to the network device */
priv = netdev_priv(ndev);
Reported by FlawFinder.
drivers/rtc/rtc-ab8500.c
6 issues
Line: 66
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long timeout = jiffies + HZ;
int retval, i;
unsigned long mins, secs;
unsigned char buf[ARRAY_SIZE(ab8500_rtc_time_regs)];
u8 value;
/* Request a data read */
retval = abx500_set_register_interruptible(dev,
AB8500_RTC, AB8500_RTC_READ_REQ_REG, RTC_READ_REQUEST);
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ab8500_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
int retval, i;
unsigned char buf[ARRAY_SIZE(ab8500_rtc_time_regs)];
unsigned long no_secs, no_mins, secs = 0;
secs = rtc_tm_to_time64(tm);
no_mins = secs / 60;
Reported by FlawFinder.
Line: 144
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int retval, i;
u8 rtc_ctrl, value;
unsigned char buf[ARRAY_SIZE(ab8500_rtc_alarm_regs)];
unsigned long secs, mins;
/* Check if the alarm is enabled or not */
retval = abx500_get_register_interruptible(dev, AB8500_RTC,
AB8500_RTC_STAT_REG, &rtc_ctrl);
Reported by FlawFinder.
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ab8500_rtc_set_alarm(struct device *dev, struct rtc_wkalrm *alarm)
{
int retval, i;
unsigned char buf[ARRAY_SIZE(ab8500_rtc_alarm_regs)];
unsigned long mins, secs = 0, cursec = 0;
struct rtc_time curtm;
/* Get the number of seconds since 1970 */
secs = rtc_tm_to_time64(&alarm->time);
Reported by FlawFinder.
Line: 303
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
retval = ab8500_rtc_get_calibration(dev, &calibration);
if (retval < 0) {
dev_err(dev, "Failed to read RTC calibration attribute\n");
sprintf(buf, "0\n");
return retval;
}
return sprintf(buf, "%d\n", calibration);
}
Reported by FlawFinder.
Line: 307
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return retval;
}
return sprintf(buf, "%d\n", calibration);
}
static DEVICE_ATTR(rtc_calibration, S_IRUGO | S_IWUSR,
ab8500_sysfs_show_rtc_calibration,
ab8500_sysfs_store_rtc_calibration);
Reported by FlawFinder.
drivers/scsi/device_handler/scsi_dh_rdac.c
6 issues
Line: 344
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
/* initialize fields of controller */
memcpy(ctlr->array_id, array_id, UNIQUE_ID_LEN);
ctlr->index = index;
ctlr->host = sdev->host;
memcpy(ctlr->array_name, array_name, ARRAY_LABEL_LEN);
kref_init(&ctlr->kref);
Reported by FlawFinder.
Line: 347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ctlr->array_id, array_id, UNIQUE_ID_LEN);
ctlr->index = index;
ctlr->host = sdev->host;
memcpy(ctlr->array_name, array_name, ARRAY_LABEL_LEN);
kref_init(&ctlr->kref);
ctlr->use_ms10 = -1;
ctlr->ms_queued = 0;
ctlr->ms_sdev = NULL;
Reported by FlawFinder.
Line: 382
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*(array_name+ARRAY_LABEL_LEN-1) = '\0';
memset(array_id, 0, UNIQUE_ID_LEN);
memcpy(array_id, inqp->array_unique_id, inqp->array_uniq_id_len);
err = SCSI_DH_OK;
}
return err;
}
Reported by FlawFinder.
Line: 536
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int err = SCSI_DH_OK, retry_cnt = RDAC_RETRY_COUNT;
struct rdac_queue_data *tmp, *qdata;
LIST_HEAD(list);
unsigned char cdb[MAX_COMMAND_SIZE];
struct scsi_sense_hdr sshdr;
unsigned int data_size;
u64 req_flags = REQ_FAILFAST_DEV | REQ_FAILFAST_TRANSPORT |
REQ_FAILFAST_DRIVER;
Reported by FlawFinder.
Line: 728
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct rdac_dh_data *h;
int err;
char array_name[ARRAY_LABEL_LEN];
char array_id[UNIQUE_ID_LEN];
h = kzalloc(sizeof(*h) , GFP_KERNEL);
if (!h)
return SCSI_DH_NOMEM;
Reported by FlawFinder.
Line: 729
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rdac_dh_data *h;
int err;
char array_name[ARRAY_LABEL_LEN];
char array_id[UNIQUE_ID_LEN];
h = kzalloc(sizeof(*h) , GFP_KERNEL);
if (!h)
return SCSI_DH_NOMEM;
h->lun = UNINITIALIZED_LUN;
Reported by FlawFinder.
drivers/net/wireless/ti/wlcore/acx.c
6 issues
Line: 231
CWE codes:
476
acx->role_id = wlvif->role_id;
acx->enabled = enable;
acx->num_groups = mc_list_len;
memcpy(acx->mac_table, mc_list, mc_list_len * ETH_ALEN);
ret = wl1271_cmd_configure(wl, DOT11_GROUP_ADDRESS_TBL,
acx, sizeof(*acx));
if (ret < 0) {
wl1271_warning("failed to set group addr table: %d", ret);
Reported by Cppcheck.
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acx->role_id = wlvif->role_id;
acx->enabled = enable;
acx->num_groups = mc_list_len;
memcpy(acx->mac_table, mc_list, mc_list_len * ETH_ALEN);
ret = wl1271_cmd_configure(wl, DOT11_GROUP_ADDRESS_TBL,
acx, sizeof(*acx));
if (ret < 0) {
wl1271_warning("failed to set group addr table: %d", ret);
Reported by FlawFinder.
Line: 411
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* for vendor specific rules configure the
additional fields */
memcpy(&(ie_table->table[idx]), r->oui,
CONF_BCN_IE_OUI_LEN);
idx += CONF_BCN_IE_OUI_LEN;
ie_table->table[idx++] = r->type;
memcpy(&(ie_table->table[idx]), r->version,
CONF_BCN_IE_VER_LEN);
Reported by FlawFinder.
Line: 415
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CONF_BCN_IE_OUI_LEN);
idx += CONF_BCN_IE_OUI_LEN;
ie_table->table[idx++] = r->type;
memcpy(&(ie_table->table[idx]), r->version,
CONF_BCN_IE_VER_LEN);
idx += CONF_BCN_IE_VER_LEN;
vendor_spec = true;
}
Reported by FlawFinder.
Line: 1109
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acx->enable = enable;
if (enable)
memcpy(acx->address, &address, ACX_IPV4_ADDR_SIZE);
ret = wl1271_cmd_configure(wl, ACX_ARP_IP_FILTER,
acx, sizeof(*acx));
if (ret < 0) {
wl1271_warning("failed to set arp ip filter: %d", ret);
Reported by FlawFinder.
Line: 1593
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!acx)
return -ENOMEM;
memcpy(acx->addr, addr, ETH_ALEN);
acx->role_id = wlvif->role_id;
ret = wl1271_cmd_configure(wl, ACX_UPDATE_INCONNECTION_STA_LIST,
acx, sizeof(*acx));
if (ret < 0) {
Reported by FlawFinder.
drivers/rtc/rtc-rs5c372.c
6 issues
Line: 127
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned time24:1;
unsigned has_irq:1;
unsigned smbus:1;
char buf[17];
char *regs;
};
static int rs5c_get_regs(struct rs5c372 *rs5c)
{
Reported by FlawFinder.
Line: 261
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *client = to_i2c_client(dev);
struct rs5c372 *rs5c = i2c_get_clientdata(client);
unsigned char buf[7];
unsigned char ctrl2;
int addr;
dev_dbg(&client->dev, "%s: tm is secs=%d, mins=%d, hours=%d "
"mday=%d, mon=%d, year=%d, wday=%d\n",
Reported by FlawFinder.
Line: 419
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct i2c_client *client = to_i2c_client(dev);
struct rs5c372 *rs5c = i2c_get_clientdata(client);
int status, addr, i;
unsigned char buf[3];
/* only handle up to 24 hours in the future, like RTC_ALM_SET */
if (t->time.tm_mday != -1
|| t->time.tm_mon != -1
|| t->time.tm_year != -1)
Reported by FlawFinder.
Line: 508
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%d\n", trim);
}
static DEVICE_ATTR(trim, S_IRUGO, rs5c372_sysfs_show_trim, NULL);
static ssize_t rs5c372_sysfs_show_osc(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 521
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%d.%03d KHz\n", osc / 1000, osc % 1000);
}
static DEVICE_ATTR(osc, S_IRUGO, rs5c372_sysfs_show_osc, NULL);
static int rs5c_sysfs_register(struct device *dev)
{
Reported by FlawFinder.
Line: 561
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rs5c_oscillator_setup(struct rs5c372 *rs5c372)
{
unsigned char buf[2];
int addr, i, ret = 0;
addr = RS5C_ADDR(RS5C_REG_CTRL1);
buf[0] = rs5c372->regs[RS5C_REG_CTRL1];
buf[1] = rs5c372->regs[RS5C_REG_CTRL2];
Reported by FlawFinder.