The following issues were found
drivers/hid/hid-logitech-dj.c
5 issues
Line: 715
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Device index goes from 1 to 6, we need 3 bytes to store the
* semicolon, the index, and a null terminator
*/
unsigned char tmpstr[3];
/* We are the only one ever adding a device, no need to lock */
if (djrcv_dev->paired_dj_devices[device_index]) {
/* The device is already known. No need to reallocate it. */
dbg_hid("%s: device is already known\n", __func__);
Reported by FlawFinder.
Line: 763
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
dj_hiddev->group = HID_GROUP_LOGITECH_DJ_DEVICE;
memcpy(dj_hiddev->phys, djrcv_hdev->phys, sizeof(djrcv_hdev->phys));
snprintf(tmpstr, sizeof(tmpstr), ":%d", device_index);
strlcat(dj_hiddev->phys, tmpstr, sizeof(dj_hiddev->phys));
dj_dev = kzalloc(sizeof(struct dj_device), GFP_KERNEL);
Reported by FlawFinder.
Line: 1391
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out_buf[0] = REPORT_ID_DJ_SHORT;
out_buf[1] = djdev->device_index;
memcpy(out_buf + 2, buf, count);
ret = hid_hw_raw_request(djrcv_dev->hidpp, out_buf[0], out_buf,
DJREPORT_SHORT_LENGTH, report_type, reqtype);
kfree(out_buf);
Reported by FlawFinder.
Line: 1402
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void rdcat(char *rdesc, unsigned int *rsize, const char *data, unsigned int size)
{
memcpy(rdesc + *rsize, data, size);
*rsize += size;
}
static int logi_dj_ll_parse(struct hid_device *hid)
{
Reported by FlawFinder.
Line: 1702
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Prepend report id */
mouse_report[0] = REPORT_TYPE_MOUSE;
memcpy(mouse_report + 1, data, size);
logi_dj_recv_forward_input_report(hdev, mouse_report,
size + 1);
}
return false;
Reported by FlawFinder.
drivers/isdn/hardware/mISDN/hfcsusb.c
5 issues
Line: 545
Column: 44
CWE codes:
362
printk(KERN_DEBUG
"%s: %s: dev(%d) close from %p (open %d)\n",
hw->name, __func__, hw->dch.dev.id,
__builtin_return_address(0), hw->open);
if (!hw->open) {
hfcsusb_stop_endpoint(hw, HFC_CHAN_D);
if (hw->fifos[HFCUSB_PCM_RX].pipe)
hfcsusb_stop_endpoint(hw, HFC_CHAN_E);
handle_led(hw, LED_POWER_ON);
Reported by FlawFinder.
Line: 546
Column: 12
CWE codes:
362
"%s: %s: dev(%d) close from %p (open %d)\n",
hw->name, __func__, hw->dch.dev.id,
__builtin_return_address(0), hw->open);
if (!hw->open) {
hfcsusb_stop_endpoint(hw, HFC_CHAN_D);
if (hw->fifos[HFCUSB_PCM_RX].pipe)
hfcsusb_stop_endpoint(hw, HFC_CHAN_E);
handle_led(hw, LED_POWER_ON);
}
Reported by FlawFinder.
Line: 1280
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(p, fifo->bch->fill[0],
current_len);
} else {
memcpy(p, (tx_skb->data + *tx_idx),
current_len);
*tx_idx += current_len;
}
urb->iso_frame_desc[k].offset = tx_offset;
urb->iso_frame_desc[k].length = current_len + 1;
Reported by FlawFinder.
Line: 1706
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = read_reg_atomic(hw, HFCUSB_CHIP_ID, dmabuf);
memcpy(&b, dmabuf, sizeof(u_char));
kfree(dmabuf);
/* check the chip id */
if (ret != 1) {
printk(KERN_DEBUG "%s: %s: cannot read chip id\n",
Reported by FlawFinder.
Line: 1959
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cfg_found = 1;
vcf = validconf[cfg_used];
ep = iface->endpoint;
memcpy(cmptbl, vcf, 16 * sizeof(int));
/* check for all endpoints in this alternate setting */
for (i = 0; i < iface->desc.bNumEndpoints; i++) {
ep_addr = ep->desc.bEndpointAddress;
Reported by FlawFinder.
drivers/hid/hid-roccat.c
5 issues
Line: 42
Column: 6
CWE codes:
362
struct roccat_device {
unsigned int minor;
int report_size;
int open;
int exist;
wait_queue_head_t wait;
struct device *dev;
struct hid_device *hid;
struct list_head readers;
Reported by FlawFinder.
Line: 175
Column: 14
CWE codes:
362
/* power on device on adding first reader */
error = hid_hw_power(device->hid, PM_HINT_FULLON);
if (error < 0) {
--device->open;
goto exit_err_readers;
}
error = hid_hw_open(device->hid);
if (error < 0) {
Reported by FlawFinder.
Line: 182
Column: 14
CWE codes:
362
error = hid_hw_open(device->hid);
if (error < 0) {
hid_hw_power(device->hid, PM_HINT_NORMAL);
--device->open;
goto exit_err_readers;
}
}
reader->device = device;
Reported by FlawFinder.
Line: 223
Column: 17
CWE codes:
362
mutex_unlock(&device->readers_lock);
kfree(reader);
if (!--device->open) {
/* removing last reader */
if (device->exist) {
hid_hw_power(device->hid, PM_HINT_NORMAL);
hid_hw_close(device->hid);
} else {
Reported by FlawFinder.
Line: 367
Column: 14
CWE codes:
362
devices[minor] = NULL;
mutex_unlock(&devices_lock);
if (device->open) {
hid_hw_close(device->hid);
wake_up_interruptible(&device->wait);
} else {
kfree(device);
}
Reported by FlawFinder.
drivers/hid/hid-uclogic-params.c
5 issues
Line: 574
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = desc;
if (common_present) {
memcpy(p, params->desc_ptr,
params->desc_size);
p += params->desc_size;
}
if (pen_present) {
memcpy(p, params->pen.desc_ptr,
Reported by FlawFinder.
Line: 579
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += params->desc_size;
}
if (pen_present) {
memcpy(p, params->pen.desc_ptr,
params->pen.desc_size);
p += params->pen.desc_size;
}
if (frame_present) {
memcpy(p, params->frame.desc_ptr,
Reported by FlawFinder.
Line: 584
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += params->pen.desc_size;
}
if (frame_present) {
memcpy(p, params->frame.desc_ptr,
params->frame.desc_size);
p += params->frame.desc_size;
}
WARN_ON(p != desc + size);
Reported by FlawFinder.
Line: 810
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
output:
/* Output parameters */
memcpy(params, &p, sizeof(*params));
memset(&p, 0, sizeof(p));
rc = 0;
cleanup:
kfree(ver_ptr);
uclogic_params_cleanup(&p);
Reported by FlawFinder.
Line: 1122
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#undef WITH_OPT_DESC
/* Output parameters */
memcpy(params, &p, sizeof(*params));
memset(&p, 0, sizeof(p));
rc = 0;
cleanup:
uclogic_params_cleanup(&p);
return rc;
Reported by FlawFinder.
drivers/hid/intel-ish-hid/ishtp/hbm.c
5 issues
Line: 414
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const size_t len = sizeof(struct hbm_client_connect_response);
unsigned long flags;
struct ishtp_msg_hdr hdr;
unsigned char data[4]; /* All HBM messages are 4 bytes */
spin_lock_irqsave(&dev->cl_list_lock, flags);
list_for_each_entry(cl, &dev->cl_list, link) {
if (ishtp_hbm_cl_addr_equal(cl, disconnect_req)) {
cl->state = ISHTP_CL_DISCONNECTED;
Reported by FlawFinder.
Line: 661
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case HOST_ENUM_RES_CMD:
enum_res = (struct hbm_host_enum_response *) ishtp_msg;
memcpy(dev->fw_clients_map, enum_res->valid_addresses, 32);
if (dev->dev_state == ISHTP_DEV_INIT_CLIENTS &&
dev->hbm_state == ISHTP_HBM_ENUM_CLIENTS) {
dev->fw_client_presentation_num = 0;
dev->fw_client_index = 0;
Reported by FlawFinder.
Line: 744
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
unsigned long flags;
struct ishtp_device *dev;
unsigned char hbm[IPC_PAYLOAD_SIZE];
dev = container_of(work, struct ishtp_device, bh_hbm_work);
spin_lock_irqsave(&dev->rd_msg_spinlock, flags);
if (dev->rd_msg_fifo_head != dev->rd_msg_fifo_tail) {
memcpy(hbm, dev->rd_msg_fifo + dev->rd_msg_fifo_head,
Reported by FlawFinder.
Line: 749
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev = container_of(work, struct ishtp_device, bh_hbm_work);
spin_lock_irqsave(&dev->rd_msg_spinlock, flags);
if (dev->rd_msg_fifo_head != dev->rd_msg_fifo_tail) {
memcpy(hbm, dev->rd_msg_fifo + dev->rd_msg_fifo_head,
IPC_PAYLOAD_SIZE);
dev->rd_msg_fifo_head =
(dev->rd_msg_fifo_head + IPC_PAYLOAD_SIZE) %
(RD_INT_FIFO_SIZE * IPC_PAYLOAD_SIZE);
spin_unlock_irqrestore(&dev->rd_msg_spinlock, flags);
Reported by FlawFinder.
Line: 857
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(unsigned int)ishtp_msg->hbm_cmd);
goto eoi;
}
memcpy(dev->rd_msg_fifo + dev->rd_msg_fifo_tail, ishtp_msg,
ishtp_hdr->length);
dev->rd_msg_fifo_tail = (dev->rd_msg_fifo_tail + IPC_PAYLOAD_SIZE) %
(RD_INT_FIFO_SIZE * IPC_PAYLOAD_SIZE);
spin_unlock_irqrestore(&dev->rd_msg_spinlock, flags);
schedule_work(&dev->bh_hbm_work);
Reported by FlawFinder.
drivers/hid/usbhid/hid-core.c
5 issues
Line: 65
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_PARM_DESC(ignoreled, "Autosuspend with active leds");
/* Quirks specified at module load time */
static char *quirks_param[MAX_USBHID_BOOT_QUIRKS];
module_param_array_named(quirks, quirks_param, charp, NULL, 0444);
MODULE_PARM_DESC(quirks, "Add/modify USB HID quirks by specifying "
" quirks=vendorID:productID:quirks"
" where vendorID, productID, and quirks are all in"
" 0x-prefixed hex");
Reported by FlawFinder.
Line: 348
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
usbhid->urbout->transfer_buffer_length = hid_report_len(report);
usbhid->urbout->dev = hid_to_usb_dev(hid);
if (raw_report) {
memcpy(usbhid->outbuf, raw_report,
usbhid->urbout->transfer_buffer_length);
kfree(raw_report);
usbhid->out[usbhid->outtail].raw_report = NULL;
}
Reported by FlawFinder.
Line: 382
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
usbhid->urbctrl->transfer_buffer_length = len;
if (raw_report) {
memcpy(usbhid->ctrlbuf, raw_report, len);
kfree(raw_report);
usbhid->ctrl[usbhid->ctrltail].raw_report = NULL;
}
} else {
int maxpacket, padlen;
Reported by FlawFinder.
Line: 1385
Column: 7
CWE codes:
126
strlcat(hid->name, dev->product, sizeof(hid->name));
}
if (!strlen(hid->name))
snprintf(hid->name, sizeof(hid->name), "HID %04x:%04x",
le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
usb_make_path(dev, hid->phys, sizeof(hid->phys));
Reported by FlawFinder.
Line: 1392
Column: 8
CWE codes:
126
usb_make_path(dev, hid->phys, sizeof(hid->phys));
strlcat(hid->phys, "/input", sizeof(hid->phys));
len = strlen(hid->phys);
if (len < sizeof(hid->phys) - 1)
snprintf(hid->phys + len, sizeof(hid->phys) - len,
"%d", intf->altsetting[0].desc.bInterfaceNumber);
if (usb_string(dev, dev->descriptor.iSerialNumber, hid->uniq, 64) <= 0)
Reported by FlawFinder.
drivers/hid/wacom_wac.h
5 issues
Line: 332
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct wacom_wac {
char name[WACOM_NAME_MAX];
char pen_name[WACOM_NAME_MAX];
char touch_name[WACOM_NAME_MAX];
char pad_name[WACOM_NAME_MAX];
unsigned char data[WACOM_PKGLEN_MAX];
int tool[2];
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wacom_wac {
char name[WACOM_NAME_MAX];
char pen_name[WACOM_NAME_MAX];
char touch_name[WACOM_NAME_MAX];
char pad_name[WACOM_NAME_MAX];
unsigned char data[WACOM_PKGLEN_MAX];
int tool[2];
int id[2];
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wacom_wac {
char name[WACOM_NAME_MAX];
char pen_name[WACOM_NAME_MAX];
char touch_name[WACOM_NAME_MAX];
char pad_name[WACOM_NAME_MAX];
unsigned char data[WACOM_PKGLEN_MAX];
int tool[2];
int id[2];
__u64 serial[2];
Reported by FlawFinder.
Line: 335
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[WACOM_NAME_MAX];
char pen_name[WACOM_NAME_MAX];
char touch_name[WACOM_NAME_MAX];
char pad_name[WACOM_NAME_MAX];
unsigned char data[WACOM_PKGLEN_MAX];
int tool[2];
int id[2];
__u64 serial[2];
bool reporting_data;
Reported by FlawFinder.
Line: 336
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char pen_name[WACOM_NAME_MAX];
char touch_name[WACOM_NAME_MAX];
char pad_name[WACOM_NAME_MAX];
unsigned char data[WACOM_PKGLEN_MAX];
int tool[2];
int id[2];
__u64 serial[2];
bool reporting_data;
struct wacom_features features;
Reported by FlawFinder.
drivers/hwmon/adm1029.c
5 issues
Line: 164
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct sensor_device_attribute *attr = to_sensor_dev_attr(devattr);
struct adm1029_data *data = adm1029_update_device(dev);
return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[attr->index]));
}
static ssize_t
fan_show(struct device *dev, struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 177
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (data->fan[attr->index] == 0 ||
(data->fan_div[attr->index] & 0xC0) == 0 ||
data->fan[attr->index] == 255) {
return sprintf(buf, "0\n");
}
val = 1880 * 120 / DIV_FROM_REG(data->fan_div[attr->index])
/ data->fan[attr->index];
return sprintf(buf, "%d\n", val);
Reported by FlawFinder.
Line: 182
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
val = 1880 * 120 / DIV_FROM_REG(data->fan_div[attr->index])
/ data->fan[attr->index];
return sprintf(buf, "%d\n", val);
}
static ssize_t
fan_div_show(struct device *dev, struct device_attribute *devattr, char *buf)
{
Reported by FlawFinder.
Line: 192
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct adm1029_data *data = adm1029_update_device(dev);
if ((data->fan_div[attr->index] & 0xC0) == 0)
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", DIV_FROM_REG(data->fan_div[attr->index]));
}
static ssize_t fan_div_store(struct device *dev,
struct device_attribute *devattr,
Reported by FlawFinder.
Line: 193
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if ((data->fan_div[attr->index] & 0xC0) == 0)
return sprintf(buf, "0\n");
return sprintf(buf, "%d\n", DIV_FROM_REG(data->fan_div[attr->index]));
}
static ssize_t fan_div_store(struct device *dev,
struct device_attribute *devattr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/infiniband/core/cache.c
5 issues
Line: 315
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
entry->ndev_storage->ndev = ndev;
}
kref_init(&entry->kref);
memcpy(&entry->attr, attr, sizeof(*attr));
INIT_WORK(&entry->del_work, free_gid_work);
entry->state = GID_TABLE_ENTRY_INVALID;
return entry;
}
Reported by FlawFinder.
Line: 970
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
!is_gid_entry_valid(table->data_vec[index]))
goto done;
memcpy(gid, &table->data_vec[index]->attr.gid, sizeof(*gid));
res = 0;
done:
read_unlock_irqrestore(&table->rwlock, flags);
return res;
Reported by FlawFinder.
Line: 1271
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
gid_attr = &table->data_vec[i]->attr;
memcpy(&entries->gid, &gid_attr->gid,
sizeof(gid_attr->gid));
entries->gid_index = gid_attr->index;
entries->port_num = gid_attr->port_num;
entries->gid_type = gid_attr->gid_type;
ndev = rcu_dereference_protected(
Reported by FlawFinder.
Line: 182
Column: 8
CWE codes:
126
size_t len;
int err = -EINVAL;
len = strlen(buf);
if (len == 0)
return -EINVAL;
if (buf[len - 1] == '\n')
len--;
Reported by FlawFinder.
Line: 191
Column: 14
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(gid_type_str); ++i)
if (gid_type_str[i] && !strncmp(buf, gid_type_str[i], len) &&
len == strlen(gid_type_str[i])) {
err = i;
break;
}
return err;
Reported by FlawFinder.
drivers/hwmon/corsair-psu.c
5 issues
Line: 123
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct completion wait_completion;
struct mutex lock; /* for locking access to cmd_buffer */
u8 *cmd_buffer;
char vendor[REPLY_SIZE];
char product[REPLY_SIZE];
long temp_crit[TEMP_COUNT];
long in_crit[RAIL_COUNT];
long in_lcrit[RAIL_COUNT];
long curr_crit[RAIL_COUNT];
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mutex lock; /* for locking access to cmd_buffer */
u8 *cmd_buffer;
char vendor[REPLY_SIZE];
char product[REPLY_SIZE];
long temp_crit[TEMP_COUNT];
long in_crit[RAIL_COUNT];
long in_lcrit[RAIL_COUNT];
long curr_crit[RAIL_COUNT];
u8 temp_crit_support;
Reported by FlawFinder.
Line: 176
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EOPNOTSUPP;
if (data)
memcpy(data, priv->cmd_buffer + 2, REPLY_SIZE);
return 0;
}
static int corsairpsu_init(struct corsairpsu_data *priv)
Reported by FlawFinder.
Line: 665
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void corsairpsu_debugfs_init(struct corsairpsu_data *priv)
{
char name[32];
scnprintf(name, sizeof(name), "%s-%s", DRIVER_NAME, dev_name(&priv->hdev->dev));
priv->debugfs = debugfs_create_dir(name, NULL);
debugfs_create_file("uptime", 0444, priv->debugfs, priv, &uptime_fops);
Reported by FlawFinder.
Line: 768
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (completion_done(&priv->wait_completion))
return 0;
memcpy(priv->cmd_buffer, data, min(CMD_BUFFER_SIZE, size));
complete(&priv->wait_completion);
return 0;
}
Reported by FlawFinder.