The following issues were found
drivers/remoteproc/qcom_sysmon.c
5 issues
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void sysmon_send_event(struct qcom_sysmon *sysmon,
const struct sysmon_event *event)
{
char req[50];
int len;
int ret;
len = snprintf(req, sizeof(req), "ssr:%s:%s", event->subsys_name,
sysmon_state_string[event->ssr_event]);
Reported by FlawFinder.
Line: 207
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ssctl_subsys_event_req {
u8 subsys_name_len;
char subsys_name[SSCTL_SUBSYS_NAME_LENGTH];
u32 event;
u8 evt_driven_valid;
u32 evt_driven;
};
Reported by FlawFinder.
Line: 132
Column: 37
CWE codes:
126
reinit_completion(&sysmon->comp);
sysmon->ssr_ack = false;
ret = rpmsg_send(sysmon->ept, req, strlen(req) + 1);
if (ret < 0) {
dev_err(sysmon->dev, "send sysmon shutdown request failed\n");
goto out_unlock;
}
Reported by FlawFinder.
Line: 162
Column: 26
CWE codes:
126
{
struct qcom_sysmon *sysmon = priv;
const char *ssr_ack = "ssr:ack";
const int ssr_ack_len = strlen(ssr_ack) + 1;
if (!sysmon)
return -EINVAL;
if (count >= ssr_ack_len && !memcmp(data, ssr_ack, ssr_ack_len))
Reported by FlawFinder.
Line: 391
Column: 24
CWE codes:
126
memset(&req, 0, sizeof(req));
strlcpy(req.subsys_name, event->subsys_name, sizeof(req.subsys_name));
req.subsys_name_len = strlen(req.subsys_name);
req.event = event->ssr_event;
req.evt_driven_valid = true;
req.evt_driven = SSCTL_SSR_EVENT_FORCED;
ret = qmi_send_request(&sysmon->qmi, &sysmon->ssctl, &txn,
Reported by FlawFinder.
drivers/scsi/hisi_sas/hisi_sas_main.c
5 issues
Line: 1109
CWE codes:
476
struct asd_sas_phy *sas_phy = &phy->sas_phy;
enum sas_linkrate min, max;
if (r->minimum_linkrate > SAS_LINK_RATE_1_5_GBPS)
return -EINVAL;
if (r->maximum_linkrate == SAS_LINK_RATE_UNKNOWN) {
max = sas_phy->phy->maximum_linkrate;
min = r->minimum_linkrate;
Reported by Cppcheck.
Line: 115
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct dev_to_host_fis *d2h = (struct dev_to_host_fis *)iu;
resp->frame_len = sizeof(struct dev_to_host_fis);
memcpy(&resp->ending_fis[0], d2h, sizeof(struct dev_to_host_fis));
ts->buf_valid_size = sizeof(*resp);
}
EXPORT_SYMBOL_GPL(hisi_sas_sata_done);
Reported by FlawFinder.
Line: 1219
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dev_is_sata(device)) {
task->ata_task.device_control_reg_update = 1;
memcpy(&task->ata_task.fis, parameter, para_len);
} else {
memcpy(&task->ssp_task, parameter, para_len);
}
task->task_done = hisi_sas_task_done;
Reported by FlawFinder.
Line: 1221
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
task->ata_task.device_control_reg_update = 1;
memcpy(&task->ata_task.fis, parameter, para_len);
} else {
memcpy(&task->ssp_task, parameter, para_len);
}
task->task_done = hisi_sas_task_done;
task->slow_task->timer.function = hisi_sas_tmf_timedout;
task->slow_task->timer.expires = jiffies + TASK_TIMEOUT;
Reported by FlawFinder.
Line: 1377
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!(device->tproto & SAS_PROTOCOL_SSP))
return TMF_RESP_FUNC_ESUPP;
memcpy(ssp_task.LUN, lun, 8);
return hisi_sas_exec_internal_tmf_task(device, &ssp_task,
sizeof(ssp_task), tmf);
}
Reported by FlawFinder.
drivers/scsi/elx/efct/efct_lio.h
5 issues
Line: 77
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct se_session *session;
spinlock_t active_ios_lock;
struct list_head active_ios;
char display_name[EFC_NAME_LENGTH];
u32 port_fc_id;
u32 node_fc_id;
u32 vpi;
u32 rpi;
u32 abort_cnt;
Reported by FlawFinder.
Line: 108
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct efct_scsi_tgt_io {
struct se_cmd cmd;
unsigned char sense_buffer[TRANSPORT_SENSE_BUFFER];
enum dma_data_direction ddir;
int task_attr;
u64 lun;
u32 state;
Reported by FlawFinder.
Line: 138
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 wwpn;
u64 npiv_wwpn;
u64 npiv_wwnn;
unsigned char wwpn_str[WWN_NAME_LEN];
struct se_wwn vport_wwn;
struct efct_lio_tpg *tpg;
struct efct *efct;
struct Scsi_Host *shost;
struct fc_vport *fc_vport;
Reported by FlawFinder.
Line: 149
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct efct_lio_nport {
u64 wwpn;
unsigned char wwpn_str[WWN_NAME_LEN];
struct se_wwn nport_wwn;
struct efct_lio_tpg *tpg;
struct efct *efct;
atomic_t enable;
};
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct efct_lio_nacl {
u64 nport_wwnn;
char nport_name[WWN_NAME_LEN];
struct se_session *session;
struct se_node_acl se_node_acl;
};
struct efct_lio_vport_list_t {
Reported by FlawFinder.
drivers/s390/crypto/ap_bus.c
5 issues
Line: 661
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ap_send_bindings_complete_uevent(void)
{
char buf[32];
char *envp[] = { "BINDINGS=complete", buf, NULL };
snprintf(buf, sizeof(buf), "COMPLETECOUNT=%llu",
atomic64_inc_return(&ap_bindings_complete_count));
kobject_uevent_env(&ap_root_device->kobj, KOBJ_CHANGE, envp);
Reported by FlawFinder.
Line: 671
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ap_send_config_uevent(struct ap_device *ap_dev, bool cfg)
{
char buf[16];
char *envp[] = { buf, NULL };
snprintf(buf, sizeof(buf), "CONFIG=%d", cfg ? 1 : 0);
kobject_uevent_env(&ap_dev->device.kobj, KOBJ_CHANGE, envp);
Reported by FlawFinder.
Line: 682
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void ap_send_online_uevent(struct ap_device *ap_dev, int online)
{
char buf[16];
char *envp[] = { buf, NULL };
snprintf(buf, sizeof(buf), "ONLINE=%d", online ? 1 : 0);
kobject_uevent_env(&ap_dev->device.kobj, KOBJ_CHANGE, envp);
Reported by FlawFinder.
Line: 1098
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (*str == '+' || *str == '-') {
memcpy(newmap, bitmap, size);
rc = modify_bitmap(str, newmap, bits);
} else {
memset(newmap, 0, size);
rc = hex2bitmap(str, newmap, bits);
}
Reported by FlawFinder.
Line: 1105
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rc = hex2bitmap(str, newmap, bits);
}
if (rc == 0)
memcpy(bitmap, newmap, size);
mutex_unlock(lock);
kfree(newmap);
return rc;
}
EXPORT_SYMBOL(ap_parse_mask_str);
Reported by FlawFinder.
drivers/platform/x86/acerhdf.c
5 issues
Line: 78
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned int verbose;
static unsigned int list_supported;
static unsigned int fanstate = ACERHDF_FAN_AUTO;
static char force_bios[16];
static char force_product[16];
static unsigned int prev_interval;
static struct thermal_zone_device *thz_dev;
static struct thermal_cooling_device *cl_dev;
static struct platform_device *acerhdf_dev;
Reported by FlawFinder.
Line: 79
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned int list_supported;
static unsigned int fanstate = ACERHDF_FAN_AUTO;
static char force_bios[16];
static char force_product[16];
static unsigned int prev_interval;
static struct thermal_zone_device *thz_dev;
static struct thermal_cooling_device *cl_dev;
static struct platform_device *acerhdf_dev;
Reported by FlawFinder.
Line: 671
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy control settings from BIOS table before we free it. */
ctrl_cfg.fanreg = bt->fanreg;
ctrl_cfg.tempreg = bt->tempreg;
memcpy(&ctrl_cfg.cmd, &bt->cmd, sizeof(struct fancmd));
ctrl_cfg.mcmd_enable = bt->mcmd_enable;
/*
* if started with kernel mode off, prevent the kernel from switching
* off the fan
Reported by FlawFinder.
Line: 592
Column: 12
CWE codes:
126
{
unsigned long str_len = 0, start_len = 0;
str_len = strlen(str);
start_len = strlen(start);
if (str_len >= start_len &&
!strncmp(str, start, start_len))
return 1;
Reported by FlawFinder.
Line: 593
Column: 14
CWE codes:
126
unsigned long str_len = 0, start_len = 0;
str_len = strlen(str);
start_len = strlen(start);
if (str_len >= start_len &&
!strncmp(str, start, start_len))
return 1;
Reported by FlawFinder.
drivers/rpmsg/rpmsg_core.c
5 issues
Line: 369
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
{ \
struct rpmsg_device *rpdev = to_rpmsg_device(dev); \
\
return sprintf(buf, format_string, rpdev->path); \
} \
static DEVICE_ATTR_RO(field);
#define rpmsg_string_attr(field, member) \
static ssize_t \
Reported by FlawFinder.
Line: 406
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{ \
struct rpmsg_device *rpdev = to_rpmsg_device(dev); \
\
return sprintf(buf, "%s\n", rpdev->member); \
} \
static DEVICE_ATTR_RW(field)
/* for more info, see Documentation/ABI/testing/sysfs-bus-rpmsg */
rpmsg_show_attr(name, id.name, "%s\n");
Reported by FlawFinder.
Line: 427
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
if (len != -ENODEV)
return len;
return sprintf(buf, RPMSG_DEVICE_MODALIAS_FMT "\n", rpdev->id.name);
}
static DEVICE_ATTR_RO(modalias);
static struct attribute *rpmsg_dev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 388
Column: 6
CWE codes:
126
\
device_lock(dev); \
old = rpdev->member; \
if (strlen(new)) { \
rpdev->member = new; \
} else { \
kfree(new); \
rpdev->member = NULL; \
} \
Reported by FlawFinder.
Line: 504
Column: 3
CWE codes:
120
goto out;
if (rpdrv->callback) {
strncpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE);
chinfo.src = rpdev->src;
chinfo.dst = RPMSG_ADDR_ANY;
ept = rpmsg_create_ept(rpdev, rpdrv->callback, NULL, chinfo);
if (!ept) {
Reported by FlawFinder.
drivers/scsi/elx/libefc/efc_els.c
5 issues
Line: 415
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Build PLOGI request */
plogi = els->io.req.virt;
memcpy(plogi, node->nport->service_params, sizeof(*plogi));
plogi->fl_cmd = ELS_PLOGI;
memset(plogi->_fl_resvd, 0, sizeof(plogi->_fl_resvd));
return efc_els_send_req(node, els, EFC_DISC_IO_ELS_REQ);
Reported by FlawFinder.
Line: 445
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Build FLOGI request */
flogi = els->io.req.virt;
memcpy(flogi, node->nport->service_params, sizeof(*flogi));
flogi->fl_cmd = ELS_FLOGI;
memset(flogi->_fl_resvd, 0, sizeof(flogi->_fl_resvd));
return efc_els_send_req(node, els, EFC_DISC_IO_ELS_REQ);
}
Reported by FlawFinder.
Line: 474
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Build FDISC request */
fdisc = els->io.req.virt;
memcpy(fdisc, node->nport->service_params, sizeof(*fdisc));
fdisc->fl_cmd = ELS_FDISC;
memset(fdisc->_fl_resvd, 0, sizeof(fdisc->_fl_resvd));
return efc_els_send_req(node, els, EFC_DISC_IO_ELS_REQ);
}
Reported by FlawFinder.
Line: 669
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
plogi = els->io.req.virt;
/* copy our port's service parameters to payload */
memcpy(plogi, node->nport->service_params, sizeof(*plogi));
plogi->fl_cmd = ELS_LS_ACC;
memset(plogi->_fl_resvd, 0, sizeof(plogi->_fl_resvd));
/* Set Application header support bit if requested */
if (req->fl_csp.sp_features & cpu_to_be16(FC_SP_FT_BCAST))
Reported by FlawFinder.
Line: 704
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
flogi = els->io.req.virt;
/* copy our port's service parameters to payload */
memcpy(flogi, node->nport->service_params, sizeof(*flogi));
flogi->fl_cmd = ELS_LS_ACC;
memset(flogi->_fl_resvd, 0, sizeof(flogi->_fl_resvd));
memset(flogi->fl_cssp, 0, sizeof(flogi->fl_cssp));
Reported by FlawFinder.
drivers/s390/cio/device_pgid.c
5 issues
Line: 371
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int i;
for (i = 0; i < 8; i++)
memcpy(&cdev->private->dma_area->pgid[i], pgid,
sizeof(struct pgid));
}
/*
* Process SENSE PGID data and report result.
Reported by FlawFinder.
Line: 301
Column: 10
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
* Determine pathgroup state from PGID data.
*/
static void pgid_analyze(struct ccw_device *cdev, struct pgid **p,
int *mismatch, u8 *reserved, u8 *reset)
{
struct pgid *pgid = &cdev->private->dma_area->pgid[0];
struct pgid *first = NULL;
int lpm;
int i;
Reported by FlawFinder.
Line: 390
Column: 29
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
if (rc)
goto out;
pgid_analyze(cdev, &pgid, &mismatch, &reserved, &reset);
if (reserved == cdev->private->pgid_valid_mask)
rc = -EUSERS;
else if (mismatch)
rc = -EOPNOTSUPP;
else {
Reported by FlawFinder.
Line: 393
Column: 11
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
pgid_analyze(cdev, &pgid, &mismatch, &reserved, &reset);
if (reserved == cdev->private->pgid_valid_mask)
rc = -EUSERS;
else if (mismatch)
rc = -EOPNOTSUPP;
else {
donepm = pgid_to_donepm(cdev);
sch->vpm = donepm & sch->opm;
cdev->private->pgid_reset_mask |= reset;
Reported by FlawFinder.
Line: 407
Column: 40
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
CIO_MSG_EVENT(2, "snid: device 0.%x.%04x: rc=%d pvm=%02x vpm=%02x "
"todo=%02x mism=%d rsvd=%02x reset=%02x\n", id->ssid,
id->devno, rc, cdev->private->pgid_valid_mask, sch->vpm,
cdev->private->pgid_todo_mask, mismatch, reserved, reset);
switch (rc) {
case 0:
if (cdev->private->flags.pgid_unknown) {
pgid_wipeout_start(cdev);
return;
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas_tf/main.c
5 issues
Line: 235
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee80211_get_tx_rate(priv->hw, info)->hw_value);
/* copy destination address from 802.11 header */
memcpy(txpd->tx_dest_addr_high, skb->data + sizeof(struct txpd) + 4,
ETH_ALEN);
txpd->tx_packet_length = cpu_to_le16(len);
txpd->tx_packet_location = cpu_to_le32(sizeof(struct txpd));
lbtf_deb_hex(LBTF_DEB_TX, "TX Data", skb->data, min_t(unsigned int, skb->len, 100));
BUG_ON(priv->tx_skb);
Reported by FlawFinder.
Line: 367
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->nr_of_multicastmacaddr = mc_count;
i = 0;
netdev_hw_addr_list_for_each(ha, mc_list)
memcpy(&priv->multicastlist[i++], ha->addr, ETH_ALEN);
return mc_count;
}
#define SUPPORTED_FIF_FLAGS FIF_ALLMULTI
Reported by FlawFinder.
Line: 529
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_reserve(skb, 2);
}
memcpy(IEEE80211_SKB_RXCB(skb), &stats, sizeof(stats));
lbtf_deb_rx("rx data: skb->len-sizeof(RxPd) = %d-%zd = %zd\n",
skb->len, sizeof(struct rxpd), skb->len - sizeof(struct rxpd));
lbtf_deb_hex(LBTF_DEB_RX, "RX Data", skb->data,
min_t(unsigned int, skb->len, 100));
Reported by FlawFinder.
Line: 575
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee80211_hw_set(hw, HOST_BROADCAST_PS_BUFFERING);
ieee80211_hw_set(hw, SIGNAL_DBM);
hw->extra_tx_headroom = sizeof(struct txpd);
memcpy(priv->channels, lbtf_channels, sizeof(lbtf_channels));
memcpy(priv->rates, lbtf_rates, sizeof(lbtf_rates));
priv->band.n_bitrates = ARRAY_SIZE(lbtf_rates);
priv->band.bitrates = priv->rates;
priv->band.n_channels = ARRAY_SIZE(lbtf_channels);
priv->band.channels = priv->channels;
Reported by FlawFinder.
Line: 576
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ieee80211_hw_set(hw, SIGNAL_DBM);
hw->extra_tx_headroom = sizeof(struct txpd);
memcpy(priv->channels, lbtf_channels, sizeof(lbtf_channels));
memcpy(priv->rates, lbtf_rates, sizeof(lbtf_rates));
priv->band.n_bitrates = ARRAY_SIZE(lbtf_rates);
priv->band.bitrates = priv->rates;
priv->band.n_channels = ARRAY_SIZE(lbtf_channels);
priv->band.channels = priv->channels;
hw->wiphy->bands[NL80211_BAND_2GHZ] = &priv->band;
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas/if_spi.c
5 issues
Line: 495
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* in chunks of 64 bytes
*/
memset(temp, 0, sizeof(temp));
memcpy(temp, fw,
min(bytes_remaining, HELPER_FW_LOAD_CHUNK_SZ));
mdelay(10);
err = spu_write(card, IF_SPI_CMD_RDWRPORT_REG,
temp, HELPER_FW_LOAD_CHUNK_SZ);
if (err)
Reported by FlawFinder.
Line: 630
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (bytes < len) {
memset(card->cmd_buffer, 0, len);
memcpy(card->cmd_buffer, fw, bytes);
} else
memcpy(card->cmd_buffer, fw, len);
err = spu_write_u16(card, IF_SPI_HOST_INT_STATUS_REG, 0);
if (err)
Reported by FlawFinder.
Line: 632
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(card->cmd_buffer, 0, len);
memcpy(card->cmd_buffer, fw, bytes);
} else
memcpy(card->cmd_buffer, fw, len);
err = spu_write_u16(card, IF_SPI_HOST_INT_STATUS_REG, 0);
if (err)
goto out;
err = spu_write(card, IF_SPI_CMD_RDWRPORT_REG,
Reported by FlawFinder.
Line: 722
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = (priv->resp_idx == 0) ? 1 : 0;
BUG_ON(priv->resp_len[i]);
priv->resp_len[i] = len;
memcpy(priv->resp_buf[i], card->cmd_buffer, len);
lbs_notify_command_response(priv, i);
spin_unlock_irqrestore(&priv->driver_lock, flags);
out:
if (err)
Reported by FlawFinder.
Line: 957
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
packet->blen = blen;
memcpy(packet->buffer, buf, nb);
memset(packet->buffer + nb, 0, blen - nb);
switch (type) {
case MVMS_CMD:
priv->dnld_sent = DNLD_CMD_SENT;
Reported by FlawFinder.