The following issues were found
drivers/net/can/janz-ican3.c
5 issues
Line: 241
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* firmware type */
enum ican3_fwtype fwtype;
char fwinfo[32];
/* old and new style host interface */
unsigned int iftype;
/* queue for echo packets */
Reported by FlawFinder.
Line: 847
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
msg.data[1] = 0;
msg.data[2] = 2; /* node class */
msg.data[3] = 1; /* node id */
strcpy(msg.data + 4, "locnod1"); /* node name */
return ican3_send_msg(mod, &msg);
}
return 0;
}
return -ENOTSUPP;
Reported by FlawFinder.
Line: 920
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cf->can_id |= desc->data[0] << 3;
cf->can_id |= (desc->data[1] & 0xe0) >> 5;
cf->len = can_cc_dlc2len(desc->data[1] & ICAN3_CAN_DLC_MASK);
memcpy(cf->data, &desc->data[2], cf->len);
} else {
cf->len = can_cc_dlc2len(desc->data[0] & ICAN3_CAN_DLC_MASK);
if (desc->data[0] & ICAN3_EFF_RTR)
cf->can_id |= CAN_RTR_FLAG;
Reported by FlawFinder.
Line: 937
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cf->can_id |= desc->data[3] >> 5; /* 2-0 */
}
memcpy(cf->data, &desc->data[6], cf->len);
}
}
static void can_frame_to_ican3(struct ican3_dev *mod,
struct can_frame *cf,
Reported by FlawFinder.
Line: 973
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* copy the data bits into the descriptor */
memcpy(&desc->data[6], cf->data, cf->len);
}
/*
* Interrupt Handling
*/
Reported by FlawFinder.
drivers/memstick/core/ms_block.c
5 issues
Line: 687
Column: 19
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (mrq->error) {
dbg("parallel_switch: error");
msb->regs.param.system &= ~MEMSTICK_SYS_PAM;
return msb_exit_state_machine(msb, mrq->error);
}
switch (msb->state) {
case MSB_PS_SEND_SWITCH_COMMAND:
Reported by FlawFinder.
Line: 694
Column: 19
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
switch (msb->state) {
case MSB_PS_SEND_SWITCH_COMMAND:
/* Set the parallel interface on memstick side */
msb->regs.param.system |= MEMSTICK_SYS_PAM;
if (!msb_write_regs(msb,
offsetof(struct ms_register, param),
1,
(unsigned char *)&msb->regs.param))
Reported by FlawFinder.
Line: 727
Column: 38
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
static int msb_reset(struct msb_data *msb, bool full)
{
bool was_parallel = msb->regs.param.system & MEMSTICK_SYS_PAM;
struct memstick_dev *card = msb->card;
struct memstick_host *host = card->host;
int error;
/* Reset the card */
Reported by FlawFinder.
Line: 779
Column: 19
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
error = msb_run_state_machine(msb, h_msb_parallel_switch);
if (error) {
pr_err("Switch to parallel failed");
msb->regs.param.system &= ~MEMSTICK_SYS_PAM;
msb_reset(msb, true);
return -EFAULT;
}
msb->caps |= MEMSTICK_CAP_AUTO_GET_INT;
Reported by FlawFinder.
Line: 2141
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
MS_BLOCK_MAX_PAGES * msb->page_size);
blk_queue_logical_block_size(msb->queue, msb->page_size);
sprintf(msb->disk->disk_name, "msblk%d", msb->disk_id);
msb->disk->fops = &msb_bdops;
msb->disk->private_data = msb;
capacity = msb->pages_in_block * msb->logical_block_count;
capacity *= (msb->page_size / 512);
Reported by FlawFinder.
drivers/memory/omap-gpmc.c
5 issues
Line: 781
Column: 64
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
GPMC_CD_FCLK, "rd_cycle");
ret |= set_gpmc_timing_reg(cs, GPMC_CS_CONFIG5, 8, 12, 0, t->wr_cycle,
GPMC_CD_FCLK, "wr_cycle");
ret |= set_gpmc_timing_reg(cs, GPMC_CS_CONFIG5, 16, 20, 0, t->access,
GPMC_CD_FCLK, "access");
ret |= set_gpmc_timing_reg(cs, GPMC_CS_CONFIG5, 24, 27, 0,
t->page_burst_access, GPMC_CD_FCLK,
"page_burst_access");
if (ret)
Reported by FlawFinder.
Line: 1535
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* rd_cycle */
temp = max_t(u32, dev_t->t_cez_r, dev_t->t_oez);
temp = gpmc_round_ps_to_sync_clk(temp, gpmc_t->sync_clk) +
gpmc_t->access;
/* XXX: barter t_ce_rdyz with t_cez_r ? */
if (dev_t->t_ce_rdyz)
temp = max_t(u32, temp, gpmc_t->cs_rd_off + dev_t->t_ce_rdyz);
gpmc_t->rd_cycle = gpmc_round_ps_to_ticks(temp);
Reported by FlawFinder.
Line: 1581
Column: 30
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* wr_access */
/* XXX: gpmc_capability check reqd ? , even if not, will not harm */
gpmc_t->wr_access = gpmc_t->access;
/* we_off */
temp = gpmc_t->we_on + dev_t->t_wpl;
temp = max_t(u32, temp,
gpmc_t->wr_access + gpmc_ticks_to_ps(1));
Reported by FlawFinder.
Line: 1755
Column: 5
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
t->oe_on /= 1000;
t->oe_off /= 1000;
t->page_burst_access /= 1000;
t->access /= 1000;
t->rd_cycle /= 1000;
t->wr_cycle /= 1000;
t->bus_turnaround /= 1000;
t->cycle2cycle_delay /= 1000;
t->wait_monitoring /= 1000;
Reported by FlawFinder.
Line: 2030
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* access and cycle timings */
of_property_read_u32(np, "gpmc,page-burst-access-ns",
&gpmc_t->page_burst_access);
of_property_read_u32(np, "gpmc,access-ns", &gpmc_t->access);
of_property_read_u32(np, "gpmc,rd-cycle-ns", &gpmc_t->rd_cycle);
of_property_read_u32(np, "gpmc,wr-cycle-ns", &gpmc_t->wr_cycle);
of_property_read_u32(np, "gpmc,bus-turnaround-ns",
&gpmc_t->bus_turnaround);
of_property_read_u32(np, "gpmc,cycle2cycle-delay-ns",
Reported by FlawFinder.
drivers/memory/emif.c
5 issues
Line: 1033
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto error;
}
memcpy(temp, pd, sizeof(*pd));
pd = temp;
memcpy(dev_info, pd->device_info, sizeof(*dev_info));
pd->device_info = dev_info;
emif->plat_data = pd;
Reported by FlawFinder.
Line: 1035
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(temp, pd, sizeof(*pd));
pd = temp;
memcpy(dev_info, pd->device_info, sizeof(*dev_info));
pd->device_info = dev_info;
emif->plat_data = pd;
emif->dev = dev;
emif->temperature_level = SDRAM_TEMP_NOMINAL;
Reported by FlawFinder.
Line: 1069
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cust_cfgs && is_custom_config_valid(cust_cfgs, dev)) {
temp = devm_kzalloc(dev, sizeof(*cust_cfgs), GFP_KERNEL);
if (temp)
memcpy(temp, cust_cfgs, sizeof(*cust_cfgs));
else
dev_warn(dev, "%s:%d: allocation error\n", __func__,
__LINE__);
pd->custom_configs = temp;
}
Reported by FlawFinder.
Line: 1084
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pd->timings) {
temp = devm_kzalloc(dev, size, GFP_KERNEL);
if (temp) {
memcpy(temp, pd->timings, size);
pd->timings = temp;
} else {
dev_warn(dev, "%s:%d: allocation error\n", __func__,
__LINE__);
get_default_timings(emif);
Reported by FlawFinder.
Line: 1098
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pd->min_tck) {
temp = devm_kzalloc(dev, sizeof(*pd->min_tck), GFP_KERNEL);
if (temp) {
memcpy(temp, pd->min_tck, sizeof(*pd->min_tck));
pd->min_tck = temp;
} else {
dev_warn(dev, "%s:%d: allocation error\n", __func__,
__LINE__);
pd->min_tck = &lpddr2_jedec_min_tck;
Reported by FlawFinder.
drivers/md/dm-log-userspace-transfer.c
5 issues
Line: 119
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pkg->error = -ENOSPC;
} else {
pkg->error = tfr->error;
memcpy(pkg->data, tfr->data, tfr->data_size);
*(pkg->data_size) = tfr->data_size;
}
complete(&pkg->complete);
return 0;
}
Reported by FlawFinder.
Line: 201
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&dm_ulog_lock);
memset(tfr, 0, DM_ULOG_PREALLOCED_SIZE - sizeof(struct cn_msg));
memcpy(tfr->uuid, uuid, DM_UUID_LEN);
tfr->version = DM_ULOG_REQUEST_VERSION;
tfr->luid = luid;
tfr->seq = dm_ulog_seq++;
/*
Reported by FlawFinder.
Line: 215
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tfr->data_size = data_size;
if (data && data_size)
memcpy(tfr->data, data, data_size);
memset(&pkg, 0, sizeof(pkg));
init_completion(&pkg.complete);
pkg.seq = tfr->seq;
pkg.data_size = rdata_size;
Reported by FlawFinder.
Line: 246
Column: 11
CWE codes:
126
spin_unlock(&receiving_list_lock);
if (!tmo) {
DMWARN("[%s] Request timed out: [%u/%u] - retrying",
(strlen(uuid) > 8) ?
(uuid + (strlen(uuid) - 8)) : (uuid),
request_type, pkg.seq);
goto resend;
}
Reported by FlawFinder.
Line: 247
Column: 19
CWE codes:
126
if (!tmo) {
DMWARN("[%s] Request timed out: [%u/%u] - retrying",
(strlen(uuid) > 8) ?
(uuid + (strlen(uuid) - 8)) : (uuid),
request_type, pkg.seq);
goto resend;
}
r = pkg.error;
Reported by FlawFinder.
drivers/media/usb/gspca/m5602/m5602_core.c
5 issues
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gspca_dbg(gspca_dev, D_CONF, "Writing bridge register 0x%x with 0x%x\n",
address, i2c_data);
memcpy(buf, bridge_urb_skeleton,
sizeof(bridge_urb_skeleton));
buf[1] = address;
buf[3] = i2c_data;
err = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len > sd->sensor->i2c_regW || !len)
return -EINVAL;
memcpy(buf, sensor_urb_skeleton,
sizeof(sensor_urb_skeleton));
buf[11] = sd->sensor->i2c_slave_id;
buf[15] = address;
Reported by FlawFinder.
Line: 183
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy a four byte write sequence for each byte to be written to */
for (i = 0; i < len; i++) {
memcpy(p, sensor_urb_skeleton + 16, 4);
p[3] = i2c_data[i];
p += 4;
gspca_dbg(gspca_dev, D_CONF, "Writing sensor register 0x%x with 0x%x\n",
address, i2c_data[i]);
}
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy the tailer */
memcpy(p, sensor_urb_skeleton + 20, 4);
/* Set the total length */
p[3] = 0x10 + len;
err = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (sd->sensor->start)
sd->sensor->start(sd);
memcpy(buf, buffer, sizeof(buffer));
err = usb_control_msg(gspca_dev->dev,
usb_sndctrlpipe(gspca_dev->dev, 0),
0x04, 0x40, 0x19, 0x0000, buf,
sizeof(buffer), M5602_URB_MSG_TIMEOUT);
Reported by FlawFinder.
drivers/net/ethernet/apm/xgene/xgene_enet_ethtool.c
5 issues
Line: 106
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct platform_device *pdev = pdata->pdev;
strcpy(info->driver, "xgene_enet");
sprintf(info->bus_info, "%s", pdev->name);
}
static int xgene_get_link_ksettings(struct net_device *ndev,
struct ethtool_link_ksettings *cmd)
{
Reported by FlawFinder.
Line: 12
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include "xgene_enet_main.h"
struct xgene_gstrings_stats {
char name[ETH_GSTRING_LEN];
int offset;
u32 addr;
u32 mask;
};
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct xgene_enet_pdata *pdata = netdev_priv(ndev);
struct platform_device *pdev = pdata->pdev;
strcpy(info->driver, "xgene_enet");
sprintf(info->bus_info, "%s", pdev->name);
}
static int xgene_get_link_ksettings(struct net_device *ndev,
struct ethtool_link_ksettings *cmd)
Reported by FlawFinder.
Line: 198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
for (i = 0; i < XGENE_STATS_LEN; i++) {
memcpy(p, gstrings_stats[i].name, ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < XGENE_EXTD_STATS_LEN; i++) {
memcpy(p, gstrings_extd_stats[i].name, ETH_GSTRING_LEN);
Reported by FlawFinder.
Line: 203
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (i = 0; i < XGENE_EXTD_STATS_LEN; i++) {
memcpy(p, gstrings_extd_stats[i].name, ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
}
static int xgene_get_sset_count(struct net_device *ndev, int sset)
Reported by FlawFinder.
drivers/net/ethernet/apple/bmac.c
5 issues
Line: 1573
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf(buffer, "BMAC counters & registers\n");
for (i = 0; i<N_REG_ENTRIES; i++) {
len += sprintf(buffer + len, "%s: %#08x\n",
reg_entries[i].name,
bmread(bmac_devs, reg_entries[i].reg_offset));
pos = begin + len;
if (pos < offset) {
Reported by FlawFinder.
Line: 1217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb = netdev_alloc_skb(dev, ETHERMINPACKET);
if (skb != NULL) {
data = skb_put_zero(skb, ETHERMINPACKET);
memcpy(data, dev->dev_addr, ETH_ALEN);
memcpy(data + ETH_ALEN, dev->dev_addr, ETH_ALEN);
bmac_transmit_packet(skb, dev);
}
spin_unlock_irqrestore(&bp->lock, flags);
}
Reported by FlawFinder.
Line: 1218
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (skb != NULL) {
data = skb_put_zero(skb, ETHERMINPACKET);
memcpy(data, dev->dev_addr, ETH_ALEN);
memcpy(data + ETH_ALEN, dev->dev_addr, ETH_ALEN);
bmac_transmit_packet(skb, dev);
}
spin_unlock_irqrestore(&bp->lock, flags);
}
Reported by FlawFinder.
Line: 1242
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int j, rev, ret;
struct bmac_data *bp;
const unsigned char *prop_addr;
unsigned char addr[6];
struct net_device *dev;
int is_bmac_plus = ((int)match->data) != 0;
if (macio_resource_count(mdev) != 3 || macio_irq_count(mdev) != 3) {
printk(KERN_ERR "BMAC: can't use, need 3 addrs and 3 intrs\n");
Reported by FlawFinder.
Line: 1570
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (bmac_devs == NULL)
return -ENOSYS;
len += sprintf(buffer, "BMAC counters & registers\n");
for (i = 0; i<N_REG_ENTRIES; i++) {
len += sprintf(buffer + len, "%s: %#08x\n",
reg_entries[i].name,
bmread(bmac_devs, reg_entries[i].reg_offset));
Reported by FlawFinder.
drivers/media/i2c/et8ek8/et8ek8_driver.c
5 issues
Line: 146
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int r;
struct i2c_msg msg;
unsigned char data[4];
if (!client->adapter)
return -ENODEV;
if (data_length != ET8EK8_REG_8BIT && data_length != ET8EK8_REG_16BIT)
return -EINVAL;
Reported by FlawFinder.
Line: 223
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cnt)
{
struct i2c_msg msg[ET8EK8_MAX_MSG];
unsigned char data[ET8EK8_MAX_MSG][6];
int wcnt = 0;
u16 reg, data_length;
u32 val;
int rval;
Reported by FlawFinder.
Line: 340
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int r;
struct i2c_msg msg;
unsigned char data[6];
if (!client->adapter)
return -ENODEV;
if (data_length != ET8EK8_REG_8BIT && data_length != ET8EK8_REG_16BIT)
return -EINVAL;
Reported by FlawFinder.
Line: 1147
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return rval;
rval = 0;
memcpy(ptr, buffer, bytes);
length -= bytes;
offset += bytes;
ptr += bytes;
} while (length > 0);
Reported by FlawFinder.
Line: 1250
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#error PAGE_SIZE too small!
#endif
memcpy(buf, sensor->priv_mem, ET8EK8_PRIV_MEM_SIZE);
return ET8EK8_PRIV_MEM_SIZE;
}
static DEVICE_ATTR(priv_mem, 0444, et8ek8_priv_mem_read, NULL);
Reported by FlawFinder.
drivers/media/platform/qcom/venus/core.h
5 issues
Line: 59
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int bw_tbl_dec_size;
const struct reg_val *reg_tbl;
unsigned int reg_tbl_size;
const char * const clks[VIDC_CLKS_NUM_MAX];
unsigned int clks_num;
const char * const vcodec0_clks[VIDC_VCODEC_CLKS_NUM_MAX];
const char * const vcodec1_clks[VIDC_VCODEC_CLKS_NUM_MAX];
unsigned int vcodec_clks_num;
const char * const vcodec_pmdomains[VIDC_PMDOMAINS_NUM_MAX];
Reported by FlawFinder.
Line: 61
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int reg_tbl_size;
const char * const clks[VIDC_CLKS_NUM_MAX];
unsigned int clks_num;
const char * const vcodec0_clks[VIDC_VCODEC_CLKS_NUM_MAX];
const char * const vcodec1_clks[VIDC_VCODEC_CLKS_NUM_MAX];
unsigned int vcodec_clks_num;
const char * const vcodec_pmdomains[VIDC_PMDOMAINS_NUM_MAX];
unsigned int vcodec_pmdomains_num;
const char **opp_pmdomain;
Reported by FlawFinder.
Line: 62
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char * const clks[VIDC_CLKS_NUM_MAX];
unsigned int clks_num;
const char * const vcodec0_clks[VIDC_VCODEC_CLKS_NUM_MAX];
const char * const vcodec1_clks[VIDC_VCODEC_CLKS_NUM_MAX];
unsigned int vcodec_clks_num;
const char * const vcodec_pmdomains[VIDC_PMDOMAINS_NUM_MAX];
unsigned int vcodec_pmdomains_num;
const char **opp_pmdomain;
unsigned int vcodec_num;
Reported by FlawFinder.
Line: 64
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char * const vcodec0_clks[VIDC_VCODEC_CLKS_NUM_MAX];
const char * const vcodec1_clks[VIDC_VCODEC_CLKS_NUM_MAX];
unsigned int vcodec_clks_num;
const char * const vcodec_pmdomains[VIDC_PMDOMAINS_NUM_MAX];
unsigned int vcodec_pmdomains_num;
const char **opp_pmdomain;
unsigned int vcodec_num;
const char * const resets[VIDC_RESETS_NUM_MAX];
unsigned int resets_num;
Reported by FlawFinder.
Line: 68
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int vcodec_pmdomains_num;
const char **opp_pmdomain;
unsigned int vcodec_num;
const char * const resets[VIDC_RESETS_NUM_MAX];
unsigned int resets_num;
enum hfi_version hfi_version;
u32 max_load;
unsigned int vmem_id;
u32 vmem_size;
Reported by FlawFinder.