The following issues were found
drivers/rtc/rtc-isl1208.c
5 issues
Line: 82
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Chip capabilities table */
static const struct isl1208_config {
const char name[8];
unsigned int nvmem_length;
unsigned has_tamper:1;
unsigned has_timestamp:1;
} isl1208_configs[] = {
[TYPE_ISL1208] = { "isl1208", 2, false, false },
Reported by FlawFinder.
Line: 585
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (sr)
return sr;
return sprintf(buf, "%llu\n",
(unsigned long long)rtc_tm_to_time64(&tm));
};
static DEVICE_ATTR_RW(timestamp0);
Reported by FlawFinder.
Line: 665
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (atr < 0)
return atr;
return sprintf(buf, "%d.%.2d pF\n", atr >> 2, (atr & 0x3) * 25);
}
static DEVICE_ATTR(atrim, S_IRUGO, isl1208_sysfs_show_atrim, NULL);
static ssize_t
Reported by FlawFinder.
Line: 678
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (dtr < 0)
return dtr;
return sprintf(buf, "%d ppm\n", dtr - 100);
}
static DEVICE_ATTR(dtrim, S_IRUGO, isl1208_sysfs_show_dtrim, NULL);
static ssize_t
Reported by FlawFinder.
Line: 691
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (usr < 0)
return usr;
return sprintf(buf, "0x%.4x\n", usr);
}
static ssize_t
isl1208_sysfs_store_usr(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
drivers/power/supply/cpcap-battery.c
5 issues
Line: 490
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return error;
previous = cpcap_battery_previous(ddata);
memcpy(previous, latest, sizeof(*previous));
memcpy(latest, &state, sizeof(*latest));
if (cpcap_battery_full(ddata)) {
full = cpcap_battery_get_full(ddata);
memcpy(full, latest, sizeof(*full));
Reported by FlawFinder.
Line: 491
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
previous = cpcap_battery_previous(ddata);
memcpy(previous, latest, sizeof(*previous));
memcpy(latest, &state, sizeof(*latest));
if (cpcap_battery_full(ddata)) {
full = cpcap_battery_get_full(ddata);
memcpy(full, latest, sizeof(*full));
Reported by FlawFinder.
Line: 495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cpcap_battery_full(ddata)) {
full = cpcap_battery_get_full(ddata);
memcpy(full, latest, sizeof(*full));
empty = cpcap_battery_get_empty(ddata);
if (empty->voltage && empty->voltage != -1) {
empty->voltage = -1;
ddata->charge_full =
Reported by FlawFinder.
Line: 509
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else if (cpcap_battery_low(ddata)) {
empty = cpcap_battery_get_empty(ddata);
memcpy(empty, latest, sizeof(*empty));
full = cpcap_battery_get_full(ddata);
if (full->voltage) {
full->voltage = 0;
ddata->charge_full =
Reported by FlawFinder.
Line: 905
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cpcap_battery_init_iio(struct cpcap_battery_ddata *ddata)
{
const char * const names[CPCAP_BATTERY_IIO_NR] = {
"battdetb", "battp", "chg_isense", "batti",
};
int error, i;
for (i = 0; i < CPCAP_BATTERY_IIO_NR; i++) {
Reported by FlawFinder.
drivers/net/wireless/intersil/hostap/hostap_wlan.h
5 issues
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct linux_wlan_ng_prism_hdr {
u32 msgcode, msglen;
char devname[16];
struct linux_wlan_ng_val hosttime, mactime, channel, rssi, sq, signal,
noise, rate, istx, frmlen;
} __packed;
struct linux_wlan_ng_cap_hdr {
Reported by FlawFinder.
Line: 684
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ap_data *ap;
char essid[MAX_SSID_LEN + 1];
char name[MAX_NAME_LEN + 1];
int name_set;
u16 channel_mask; /* mask of allowed channels */
u16 scan_channel_mask; /* mask of channels to be scanned */
struct comm_tallies_sums comm_tallies;
Reported by FlawFinder.
Line: 685
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ap_data *ap;
char essid[MAX_SSID_LEN + 1];
char name[MAX_NAME_LEN + 1];
int name_set;
u16 channel_mask; /* mask of allowed channels */
u16 scan_channel_mask; /* mask of channels to be scanned */
struct comm_tallies_sums comm_tallies;
struct proc_dir_entry *proc;
Reported by FlawFinder.
Line: 694
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int iw_mode; /* operating mode (IW_MODE_*) */
int pseudo_adhoc; /* 0: IW_MODE_ADHOC is real 802.11 compliant IBSS
* 1: IW_MODE_ADHOC is "pseudo IBSS" */
char bssid[ETH_ALEN];
int channel;
int beacon_int;
int dtim_period;
int mtu;
int frame_dump; /* dump RX/TX frame headers, PRISM2_DUMP_ flags */
Reported by FlawFinder.
Line: 763
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct net_device *apdev;
struct net_device_stats apdevstats;
char assoc_ap_addr[ETH_ALEN];
struct net_device *stadev;
struct net_device_stats stadevstats;
#define WEP_KEYS 4
#define WEP_KEY_LEN 13
Reported by FlawFinder.
drivers/platform/x86/huawei-wmi.c
5 issues
Line: 246
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (buf) {
len = min(buflen, len);
memcpy(buf, obj->buffer.pointer, len);
}
fail_cmd:
kfree(out.pointer);
return err;
Reported by FlawFinder.
Line: 382
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%d\n", start);
}
static ssize_t charge_control_end_threshold_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 395
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%d\n", end);
}
static ssize_t charge_control_thresholds_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 408
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%d %d\n", start, end);
}
static ssize_t charge_control_start_threshold_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
Line: 558
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (err)
return err;
return sprintf(buf, "%d\n", on);
}
static ssize_t fn_lock_state_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t size)
Reported by FlawFinder.
drivers/s390/block/dasd_3990_erp.c
5 issues
Line: 401
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dasd_device *device = erp->startdev;
char msg_format = (sense[7] & 0xF0);
char msg_no = (sense[7] & 0x0F);
char errorstring[ERRORLENGTH];
switch (msg_format) {
case 0x00: /* Format 0 - Program or System Checks */
if (sense[1] & 0x10) { /* check message to operator bit */
Reported by FlawFinder.
Line: 1672
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
oldccw = cqr->cpaddr;
if (oldccw->cmd_code == DASD_ECKD_CCW_PFX) {
PFX_data = cqr->data;
memcpy(DE_data, &PFX_data->define_extent,
sizeof(struct DE_eckd_data));
} else
memcpy(DE_data, cqr->data, sizeof(struct DE_eckd_data));
/* create LO */
Reported by FlawFinder.
Line: 1675
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(DE_data, &PFX_data->define_extent,
sizeof(struct DE_eckd_data));
} else
memcpy(DE_data, cqr->data, sizeof(struct DE_eckd_data));
/* create LO */
LO_data = erp->data + sizeof(struct DE_eckd_data);
if ((sense[3] == 0x01) && (LO_data[1] & 0x01)) {
Reported by FlawFinder.
Line: 1704
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
LO_data[5] = sense[30]; /* seek_addr.cyl 2nd byte */
LO_data[7] = sense[31]; /* seek_addr.head 2nd byte */
memcpy(&(LO_data[8]), &(sense[11]), 8);
/* create DE ccw */
ccw = erp->cpaddr;
memset(ccw, 0, sizeof(struct ccw1));
ccw->cmd_code = DASD_ECKD_CCW_DEFINE_EXTENT;
Reported by FlawFinder.
Line: 1846
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
LO_data[5] = sense[30]; /* seek_addr.cyl 2nd byte */
LO_data[7] = sense[31]; /* seek_addr.head 2nd byte */
memcpy(&(LO_data[8]), &(sense[11]), 8);
/* TIC to the failed ccw */
ccw = erp->cpaddr; /* addr of DE ccw */
ccw++; /* addr of LE ccw */
ccw++; /* addr of TIC ccw */
Reported by FlawFinder.
drivers/platform/surface/surface3_power.c
5 issues
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 min_average_interval;
u32 battery_capacity_granularity_1;
u32 battery_capacity_granularity_2;
char model[SURFACE_3_STRLEN];
char serial[SURFACE_3_STRLEN];
char type[SURFACE_3_STRLEN];
char OEM[SURFACE_3_STRLEN];
} __packed;
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 battery_capacity_granularity_1;
u32 battery_capacity_granularity_2;
char model[SURFACE_3_STRLEN];
char serial[SURFACE_3_STRLEN];
char type[SURFACE_3_STRLEN];
char OEM[SURFACE_3_STRLEN];
} __packed;
struct bst {
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 battery_capacity_granularity_2;
char model[SURFACE_3_STRLEN];
char serial[SURFACE_3_STRLEN];
char type[SURFACE_3_STRLEN];
char OEM[SURFACE_3_STRLEN];
} __packed;
struct bst {
u32 battery_state;
Reported by FlawFinder.
Line: 86
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char model[SURFACE_3_STRLEN];
char serial[SURFACE_3_STRLEN];
char type[SURFACE_3_STRLEN];
char OEM[SURFACE_3_STRLEN];
} __packed;
struct bst {
u32 battery_state;
s32 battery_present_rate;
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mshw0011_bix(struct mshw0011_data *cdata, struct bix *bix)
{
struct i2c_client *client = cdata->bat0;
char buf[SURFACE_3_STRLEN];
int ret;
*bix = default_bix;
/* get design capacity */
Reported by FlawFinder.
drivers/net/wireless/intersil/orinoco/orinoco.h
5 issues
Line: 34
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct orinoco_key {
__le16 len; /* always stored as little-endian */
char data[ORINOCO_MAX_KEY_SIZE];
} __packed;
#define TKIP_KEYLEN 16
#define MIC_KEYLEN 8
Reported by FlawFinder.
Line: 80
Column: 6
CWE codes:
362
struct list_head rx_list;
/* driver state */
int open;
u16 last_linkstatus;
struct work_struct join_work;
struct work_struct wevent_work;
/* Net device stuff */
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct key_params keys[ORINOCO_MAX_KEYS];
int bitratemode;
char nick[IW_ESSID_MAX_SIZE + 1];
char desired_essid[IW_ESSID_MAX_SIZE + 1];
char desired_bssid[ETH_ALEN];
int bssid_fixed;
u16 frag_thresh, mwo_robust;
u16 channel;
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bitratemode;
char nick[IW_ESSID_MAX_SIZE + 1];
char desired_essid[IW_ESSID_MAX_SIZE + 1];
char desired_bssid[ETH_ALEN];
int bssid_fixed;
u16 frag_thresh, mwo_robust;
u16 channel;
u16 ap_density, rts_thresh;
Reported by FlawFinder.
Line: 126
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int bitratemode;
char nick[IW_ESSID_MAX_SIZE + 1];
char desired_essid[IW_ESSID_MAX_SIZE + 1];
char desired_bssid[ETH_ALEN];
int bssid_fixed;
u16 frag_thresh, mwo_robust;
u16 channel;
u16 ap_density, rts_thresh;
u16 pm_on, pm_mcast, pm_period, pm_timeout;
Reported by FlawFinder.
drivers/pci/hotplug/ibmphp_core.c
5 issues
Line: 274
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ibmphp_lock_operations();
if (hotplug_slot) {
pslot = to_slot(hotplug_slot);
memcpy(&myslot, pslot, sizeof(struct slot));
rc = ibmphp_hpc_readslot(pslot, READ_SLOTSTATUS,
&myslot.status);
if (!rc)
rc = ibmphp_hpc_readslot(pslot, READ_EXTSLOTSTATUS,
&myslot.ext_status);
Reported by FlawFinder.
Line: 300
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ibmphp_lock_operations();
if (hotplug_slot) {
pslot = to_slot(hotplug_slot);
memcpy(&myslot, pslot, sizeof(struct slot));
rc = ibmphp_hpc_readslot(pslot, READ_SLOTSTATUS,
&myslot.status);
if (!rc)
*value = SLOT_LATCH(myslot.status);
}
Reported by FlawFinder.
Line: 325
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ibmphp_lock_operations();
if (hotplug_slot) {
pslot = to_slot(hotplug_slot);
memcpy(&myslot, pslot, sizeof(struct slot));
rc = ibmphp_hpc_readslot(pslot, READ_SLOTSTATUS,
&myslot.status);
if (!rc)
*value = SLOT_PWRGD(myslot.status);
}
Reported by FlawFinder.
Line: 350
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ibmphp_lock_operations();
if (hotplug_slot) {
pslot = to_slot(hotplug_slot);
memcpy(&myslot, pslot, sizeof(struct slot));
rc = ibmphp_hpc_readslot(pslot, READ_SLOTSTATUS,
&myslot.status);
if (!rc) {
present = SLOT_PRESENT(myslot.status);
if (present == HPC_SLOT_EMPTY)
Reported by FlawFinder.
Line: 1276
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = -ENODEV;
goto error;
}
memcpy(ibmphp_pci_bus, bus, sizeof(*ibmphp_pci_bus));
ibmphp_debug = debug;
for (i = 0; i < 16; i++)
irqs[i] = 0;
Reported by FlawFinder.
drivers/scsi/libsas/sas_host_smp.c
5 issues
Line: 34
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
phy = sas_ha->sas_phy[phy_id]->phy;
resp_data[9] = phy_id;
resp_data[13] = phy->negotiated_linkrate;
memcpy(resp_data + 16, sas_ha->sas_addr, SAS_ADDR_SIZE);
memcpy(resp_data + 24, sas_ha->sas_phy[phy_id]->attached_sas_addr,
SAS_ADDR_SIZE);
resp_data[40] = (phy->minimum_linkrate << 4) |
phy->minimum_linkrate_hw;
resp_data[41] = (phy->maximum_linkrate << 4) |
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp_data[9] = phy_id;
resp_data[13] = phy->negotiated_linkrate;
memcpy(resp_data + 16, sas_ha->sas_addr, SAS_ADDR_SIZE);
memcpy(resp_data + 24, sas_ha->sas_phy[phy_id]->attached_sas_addr,
SAS_ADDR_SIZE);
resp_data[40] = (phy->minimum_linkrate << 4) |
phy->minimum_linkrate_hw;
resp_data[41] = (phy->maximum_linkrate << 4) |
phy->maximum_linkrate_hw;
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp_data[2] = SMP_RESP_FUNC_ACC;
resp_data[9] = phy_id;
memcpy(resp_data + 16, sas_ha->sas_phy[phy_id]->attached_sas_addr,
SAS_ADDR_SIZE);
/* check to see if we have a valid d2h fis */
if (fis->fis_type != 0x34)
return;
Reported by FlawFinder.
Line: 270
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case SMP_REPORT_MANUF_INFO:
resp_data[2] = SMP_RESP_FUNC_ACC;
memcpy(resp_data + 12, shost->hostt->name,
SAS_EXPANDER_VENDOR_ID_LEN);
memcpy(resp_data + 20, "libsas virt phy",
SAS_EXPANDER_PRODUCT_ID_LEN);
reslen = 64;
break;
Reported by FlawFinder.
Line: 272
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
resp_data[2] = SMP_RESP_FUNC_ACC;
memcpy(resp_data + 12, shost->hostt->name,
SAS_EXPANDER_VENDOR_ID_LEN);
memcpy(resp_data + 20, "libsas virt phy",
SAS_EXPANDER_PRODUCT_ID_LEN);
reslen = 64;
break;
case SMP_READ_GPIO_REG:
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c
5 issues
Line: 19
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
void *src = dev->mt76.eeprom.data + MT_EE_MAC_ADDR;
memcpy(dev->mphy.macaddr, src, ETH_ALEN);
return 0;
}
static bool
mt76x2_has_cal_free_data(struct mt76x02_dev *dev, u8 *efuse)
Reported by FlawFinder.
Line: 105
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(efuse[MT_EE_TX_POWER_0_START_5G] |
efuse[MT_EE_TX_POWER_0_START_5G + 1]))
memcpy(eeprom + MT_EE_TX_POWER_0_START_5G, prev_grp0, 2);
if (!(efuse[MT_EE_TX_POWER_1_START_5G] |
efuse[MT_EE_TX_POWER_1_START_5G + 1]))
memcpy(eeprom + MT_EE_TX_POWER_1_START_5G, prev_grp0 + 2, 2);
val = get_unaligned_le16(efuse + MT_EE_BT_RCAL_RESULT);
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(eeprom + MT_EE_TX_POWER_0_START_5G, prev_grp0, 2);
if (!(efuse[MT_EE_TX_POWER_1_START_5G] |
efuse[MT_EE_TX_POWER_1_START_5G + 1]))
memcpy(eeprom + MT_EE_TX_POWER_1_START_5G, prev_grp0 + 2, 2);
val = get_unaligned_le16(efuse + MT_EE_BT_RCAL_RESULT);
if (val != 0xffff)
eeprom[MT_EE_BT_RCAL_RESULT] = val & 0xff;
Reported by FlawFinder.
Line: 172
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* FIXME: check if efuse data is complete */
found = true;
memcpy(dev->mt76.eeprom.data, efuse, MT7662_EEPROM_SIZE);
}
out:
if (!found)
return -ENOENT;
Reported by FlawFinder.
Line: 340
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
val >>= 8;
t->vht[8] = t->vht[9] = mt76x02_rate_power_val(val >> 8);
memcpy(t->stbc, t->ht, sizeof(t->stbc[0]) * 8);
t->stbc[8] = t->vht[8];
t->stbc[9] = t->vht[9];
}
EXPORT_SYMBOL_GPL(mt76x2_get_rate_power);
Reported by FlawFinder.