The following issues were found
drivers/power/supply/lp8727_charger.c
5 issues
Line: 339
Column: 5
CWE codes:
120
20
struct lp8727_chg *pchg = dev_get_drvdata(psy->dev.parent);
struct lp8727_platform_data *pdata = pchg->pdata;
enum lp8727_die_temp temp;
u8 read;
switch (psp) {
case POWER_SUPPLY_PROP_STATUS:
if (!lp8727_is_charger_attached(psy->desc->name, pchg->devid)) {
val->intval = POWER_SUPPLY_STATUS_DISCHARGING;
Reported by FlawFinder.
Line: 348
Column: 43
CWE codes:
120
20
return 0;
}
lp8727_read_byte(pchg, LP8727_STATUS1, &read);
val->intval = (read & LP8727_CHGSTAT) == LP8727_STAT_EOC ?
POWER_SUPPLY_STATUS_FULL :
POWER_SUPPLY_STATUS_CHARGING;
break;
Reported by FlawFinder.
Line: 350
Column: 18
CWE codes:
120
20
lp8727_read_byte(pchg, LP8727_STATUS1, &read);
val->intval = (read & LP8727_CHGSTAT) == LP8727_STAT_EOC ?
POWER_SUPPLY_STATUS_FULL :
POWER_SUPPLY_STATUS_CHARGING;
break;
case POWER_SUPPLY_PROP_HEALTH:
lp8727_read_byte(pchg, LP8727_STATUS2, &read);
Reported by FlawFinder.
Line: 355
Column: 43
CWE codes:
120
20
POWER_SUPPLY_STATUS_CHARGING;
break;
case POWER_SUPPLY_PROP_HEALTH:
lp8727_read_byte(pchg, LP8727_STATUS2, &read);
temp = (read & LP8727_TEMP_STAT) >> LP8727_TEMP_SHIFT;
val->intval = lp8727_is_high_temperature(temp) ?
POWER_SUPPLY_HEALTH_OVERHEAT :
POWER_SUPPLY_HEALTH_GOOD;
Reported by FlawFinder.
Line: 356
Column: 11
CWE codes:
120
20
break;
case POWER_SUPPLY_PROP_HEALTH:
lp8727_read_byte(pchg, LP8727_STATUS2, &read);
temp = (read & LP8727_TEMP_STAT) >> LP8727_TEMP_SHIFT;
val->intval = lp8727_is_high_temperature(temp) ?
POWER_SUPPLY_HEALTH_OVERHEAT :
POWER_SUPPLY_HEALTH_GOOD;
break;
Reported by FlawFinder.
drivers/platform/chrome/cros_ec_lpc_mec.c
5 issues
Line: 79
Column: 39
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int i = 0;
int io_addr;
u8 sum = 0;
enum cros_ec_lpc_mec_emi_access_mode access, new_access;
/* Return checksum of 0 if window is not initialized */
WARN_ON(mec_emi_base == 0 || mec_emi_end == 0);
if (mec_emi_base == 0 || mec_emi_end == 0)
return 0;
Reported by FlawFinder.
Line: 98
Column: 44
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
mutex_lock(&io_mutex);
/* Initialize I/O at desired address */
cros_ec_lpc_mec_emi_write_address(offset, access);
/* Skip bytes in case of misaligned offset */
io_addr = MEC_EMI_EC_DATA_B0(mec_emi_base) + (offset & 0x3);
while (i < length) {
while (io_addr <= MEC_EMI_EC_DATA_B3(mec_emi_base)) {
Reported by FlawFinder.
Line: 126
Column: 21
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
else
new_access = ACCESS_TYPE_LONG_AUTO_INCREMENT;
if (new_access != access ||
access != ACCESS_TYPE_LONG_AUTO_INCREMENT) {
access = new_access;
cros_ec_lpc_mec_emi_write_address(offset, access);
}
Reported by FlawFinder.
Line: 127
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
new_access = ACCESS_TYPE_LONG_AUTO_INCREMENT;
if (new_access != access ||
access != ACCESS_TYPE_LONG_AUTO_INCREMENT) {
access = new_access;
cros_ec_lpc_mec_emi_write_address(offset, access);
}
/* Access [B0, B3] on each loop pass */
Reported by FlawFinder.
Line: 129
Column: 46
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (new_access != access ||
access != ACCESS_TYPE_LONG_AUTO_INCREMENT) {
access = new_access;
cros_ec_lpc_mec_emi_write_address(offset, access);
}
/* Access [B0, B3] on each loop pass */
io_addr = MEC_EMI_EC_DATA_B0(mec_emi_base);
}
Reported by FlawFinder.
drivers/scsi/arcmsr/arcmsr_attr.c
5 issues
Line: 92
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
allxfer_len = ARCMSR_API_DATA_BUFLEN;
if (allxfer_len <= cnt_to_end)
memcpy(ptmpQbuffer, acb->rqbuffer + tail, allxfer_len);
else {
memcpy(ptmpQbuffer, acb->rqbuffer + tail, cnt_to_end);
memcpy(ptmpQbuffer + cnt_to_end, acb->rqbuffer, allxfer_len - cnt_to_end);
}
acb->rqbuf_getIndex = (acb->rqbuf_getIndex + allxfer_len) % ARCMSR_MAX_QBUFFER;
Reported by FlawFinder.
Line: 94
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (allxfer_len <= cnt_to_end)
memcpy(ptmpQbuffer, acb->rqbuffer + tail, allxfer_len);
else {
memcpy(ptmpQbuffer, acb->rqbuffer + tail, cnt_to_end);
memcpy(ptmpQbuffer + cnt_to_end, acb->rqbuffer, allxfer_len - cnt_to_end);
}
acb->rqbuf_getIndex = (acb->rqbuf_getIndex + allxfer_len) % ARCMSR_MAX_QBUFFER;
}
if (acb->acb_flags & ACB_F_IOPDATA_OVERFLOW) {
Reported by FlawFinder.
Line: 95
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(ptmpQbuffer, acb->rqbuffer + tail, allxfer_len);
else {
memcpy(ptmpQbuffer, acb->rqbuffer + tail, cnt_to_end);
memcpy(ptmpQbuffer + cnt_to_end, acb->rqbuffer, allxfer_len - cnt_to_end);
}
acb->rqbuf_getIndex = (acb->rqbuf_getIndex + allxfer_len) % ARCMSR_MAX_QBUFFER;
}
if (acb->acb_flags & ACB_F_IOPDATA_OVERFLOW) {
struct QBUFFER __iomem *prbuffer;
Reported by FlawFinder.
Line: 139
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pQbuffer = &acb->wqbuffer[acb->wqbuf_putIndex];
cnt2end = ARCMSR_MAX_QBUFFER - acb->wqbuf_putIndex;
if (user_len > cnt2end) {
memcpy(pQbuffer, ptmpuserbuffer, cnt2end);
ptmpuserbuffer += cnt2end;
user_len -= cnt2end;
acb->wqbuf_putIndex = 0;
pQbuffer = acb->wqbuffer;
}
Reported by FlawFinder.
Line: 145
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
acb->wqbuf_putIndex = 0;
pQbuffer = acb->wqbuffer;
}
memcpy(pQbuffer, ptmpuserbuffer, user_len);
acb->wqbuf_putIndex += user_len;
acb->wqbuf_putIndex %= ARCMSR_MAX_QBUFFER;
if (acb->acb_flags & ACB_F_MESSAGE_WQBUFFER_CLEARED) {
acb->acb_flags &=
~ACB_F_MESSAGE_WQBUFFER_CLEARED;
Reported by FlawFinder.
drivers/net/wireless/intersil/hostap/hostap_ap.h
5 issues
Line: 78
Column: 30
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
u32 tx_since_last_failure;
u32 tx_consecutive_exc;
struct lib80211_crypt_data *crypt;
int ap; /* whether this station is an AP */
local_info_t *local;
Reported by FlawFinder.
Line: 213
Column: 30
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
/* WEP operations for generating challenges to be used with shared key
* authentication */
struct lib80211_crypto_ops *crypt;
void *crypt_priv;
#endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
};
Reported by FlawFinder.
Line: 233
Column: 30
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
struct hostap_tx_data {
struct sk_buff *skb;
int host_encrypt;
struct lib80211_crypt_data *crypt;
void *sta_ptr;
};
ap_tx_ret hostap_handle_sta_tx(local_info_t *local, struct hostap_tx_data *tx);
void hostap_handle_sta_release(void *ptr);
void hostap_handle_sta_tx_exc(local_info_t *local, struct sk_buff *skb);
Reported by FlawFinder.
Line: 248
Column: 38
CWE codes:
327
Suggestion:
Use a different algorithm, such as SHA-256, with a larger, non-repeating salt
struct hostap_80211_rx_status *rx_stats,
int wds);
int hostap_handle_sta_crypto(local_info_t *local, struct ieee80211_hdr *hdr,
struct lib80211_crypt_data **crypt,
void **sta_ptr);
int hostap_is_sta_assoc(struct ap_data *ap, u8 *sta_addr);
int hostap_is_sta_authorized(struct ap_data *ap, u8 *sta_addr);
int hostap_add_sta(struct ap_data *ap, u8 *sta_addr);
int hostap_update_rx_stats(struct ap_data *ap, struct ieee80211_hdr *hdr,
Reported by FlawFinder.
Line: 92
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} sta;
struct {
int ssid_len;
unsigned char ssid[MAX_SSID_LEN + 1]; /* AP's ssid */
int channel;
unsigned long last_beacon; /* last RX beacon time */
} ap;
} u;
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mt76x02_mcu.h
5 issues
Line: 77
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le16 build_ver;
__le16 fw_ver;
u8 pad[4];
char build_time[16];
};
struct mt76x02_patch_header {
char build_time[16];
char platform[4];
Reported by FlawFinder.
Line: 81
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct mt76x02_patch_header {
char build_time[16];
char platform[4];
char hw_version[4];
char patch_version[4];
u8 pad[2];
};
Reported by FlawFinder.
Line: 82
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mt76x02_patch_header {
char build_time[16];
char platform[4];
char hw_version[4];
char patch_version[4];
u8 pad[2];
};
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct mt76x02_patch_header {
char build_time[16];
char platform[4];
char hw_version[4];
char patch_version[4];
u8 pad[2];
};
int mt76x02_mcu_cleanup(struct mt76x02_dev *dev);
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char build_time[16];
char platform[4];
char hw_version[4];
char patch_version[4];
u8 pad[2];
};
int mt76x02_mcu_cleanup(struct mt76x02_dev *dev);
int mt76x02_mcu_calibrate(struct mt76x02_dev *dev, int type, u32 param);
Reported by FlawFinder.
drivers/power/supply/88pm860x_battery.c
5 issues
Line: 157
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int measure_12bit_voltage(struct pm860x_battery_info *info,
int offset, int *data)
{
unsigned char buf[2];
int ret;
ret = pm860x_bulk_read(info->i2c, offset, 2, buf);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 173
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int measure_vbatt(struct pm860x_battery_info *info, int state,
int *data)
{
unsigned char buf[5];
int ret;
switch (state) {
case OCV_MODE_ACTIVE:
ret = measure_12bit_voltage(info, PM8607_VBAT_MEAS1, data);
Reported by FlawFinder.
Line: 215
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int measure_current(struct pm860x_battery_info *info, int *data)
{
unsigned char buf[2];
short s;
int ret;
ret = pm860x_bulk_read(info->i2c, PM8607_IBAT_MEAS1, 2, buf);
if (ret < 0)
Reported by FlawFinder.
Line: 249
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int read_ccnt(struct pm860x_battery_info *info, int offset,
int *ccnt)
{
unsigned char buf[2];
int ret;
ret = pm860x_set_bits(info->i2c, PM8607_CCNT, 7, offset & 7);
if (ret < 0)
goto out;
Reported by FlawFinder.
Line: 432
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void pm860x_init_battery(struct pm860x_battery_info *info)
{
unsigned char buf[2];
int ret;
int data;
int bat_remove;
int soc = 0;
Reported by FlawFinder.
drivers/scsi/aic7xxx/aicasm/aicasm_symbol.c
5 issues
Line: 645
CWE codes:
476
break;
}
fprintf(ofile, "#define%s%-16s%s0x%02x\n",
tab_str, curnode->symbol->name, tab_str2,
value);
free(curnode);
}
fprintf(ofile, "\n\n");
Reported by Cppcheck.
Line: 645
CWE codes:
476
break;
}
fprintf(ofile, "#define%s%-16s%s0x%02x\n",
tab_str, curnode->symbol->name, tab_str2,
value);
free(curnode);
}
fprintf(ofile, "\n\n");
Reported by Cppcheck.
Line: 87
Column: 14
CWE codes:
126
DBT key;
key.data = symbol->name;
key.size = strlen(symbol->name);
symtable->del(symtable, &key, /*flags*/0);
}
switch(symbol->type) {
case SCBLOC:
case SRAMLOC:
Reported by FlawFinder.
Line: 171
Column: 13
CWE codes:
126
int retval;
key.data = (void *)name;
key.size = strlen(name);
if ((retval = symtable->get(symtable, &key, &data, /*flags*/0)) != 0) {
if (retval == -1) {
perror("Symbol table get operation failed");
exit(EX_SOFTWARE);
Reported by FlawFinder.
Line: 450
Column: 18
CWE codes:
126
" { \"%s\",",
curnode->symbol->name);
num_tabs = 3 - (strlen(curnode->symbol->name) + 5) / 8;
while (num_tabs-- > 0)
fputc('\t', dfile);
fprintf(dfile, "0x%02x, 0x%02x }",
curnode->symbol->info.finfo->value,
Reported by FlawFinder.
drivers/net/wireless/intel/iwlwifi/pcie/tx.c
5 issues
Line: 1058
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
IWL_HCMD_DFL_DUP))) {
copy = cmd->len[i];
memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], copy);
cmd_pos += copy;
copy_size += copy;
continue;
}
Reported by FlawFinder.
Line: 1071
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
copy = min_t(int, TFD_MAX_PAYLOAD_SIZE - cmd_pos, cmd->len[i]);
memcpy((u8 *)out_cmd + cmd_pos, cmd->data[i], copy);
cmd_pos += copy;
/* However, treat copy_size the proper way, we need it below */
if (copy_size < IWL_FIRST_TB_SIZE) {
copy = IWL_FIRST_TB_SIZE - copy_size;
Reported by FlawFinder.
Line: 1093
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* start the TFD with the minimum copy bytes */
tb0_size = min_t(int, copy_size, IWL_FIRST_TB_SIZE);
memcpy(&txq->first_tb_bufs[idx], &out_cmd->hdr, tb0_size);
iwl_pcie_txq_build_tfd(trans, txq,
iwl_txq_get_first_tb_dma(txq, idx),
tb0_size, true);
/* map first command fragment, if any remains */
Reported by FlawFinder.
Line: 1331
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
start_hdr = hdr_page->pos;
memcpy(hdr_page->pos, skb->data + hdr_len, iv_len);
hdr_page->pos += iv_len;
/*
* Pull the ieee80211 header + IV to be able to use TSO core,
* we will restore it for the tx_status flow.
Reported by FlawFinder.
Line: 1590
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* building the A-MSDU might have changed this data, so memcpy it now */
memcpy(&txq->first_tb_bufs[txq->write_ptr], dev_cmd, IWL_FIRST_TB_SIZE);
tfd = iwl_txq_get_tfd(trans, txq, txq->write_ptr);
/* Set up entry for this TFD in Tx byte-count array */
iwl_txq_gen1_update_byte_cnt_tbl(trans, txq, le16_to_cpu(tx_cmd->len),
iwl_txq_gen1_tfd_get_num_tbs(trans,
Reported by FlawFinder.
drivers/net/wireless/mediatek/mt76/mt7603/mac.c
5 issues
Line: 448
CWE codes:
788
sta = container_of((void *)msta, struct ieee80211_sta, drv_priv);
for (i = 0; i < 4; i++) {
struct mt76_queue *q = dev->mphy.q_tx[i];
u8 qidx = q->hw_idx;
u8 tid = ac_to_tid[i];
u32 txtime = airtime[qidx];
if (!txtime)
Reported by Cppcheck.
Line: 1536
CWE codes:
788
int i;
for (i = 0; i < 4; i++) {
q = dev->mphy.q_tx[i];
if (!q->queued)
continue;
prev_dma_idx = dev->tx_dma_idx[i];
Reported by Cppcheck.
Line: 857
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (key->keylen > 32)
return MT_CIPHER_NONE;
memcpy(key_data, key->key, key->keylen);
switch (key->cipher) {
case WLAN_CIPHER_SUITE_WEP40:
return MT_CIPHER_WEP40;
case WLAN_CIPHER_SUITE_WEP104:
Reported by FlawFinder.
Line: 866
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return MT_CIPHER_WEP104;
case WLAN_CIPHER_SUITE_TKIP:
/* Rx/Tx MIC keys are swapped */
memcpy(key_data + 16, key->key + 24, 8);
memcpy(key_data + 24, key->key + 16, 8);
return MT_CIPHER_TKIP;
case WLAN_CIPHER_SUITE_CCMP:
return MT_CIPHER_AES_CCMP;
default:
Reported by FlawFinder.
Line: 867
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case WLAN_CIPHER_SUITE_TKIP:
/* Rx/Tx MIC keys are swapped */
memcpy(key_data + 16, key->key + 24, 8);
memcpy(key_data + 24, key->key + 16, 8);
return MT_CIPHER_TKIP;
case WLAN_CIPHER_SUITE_CCMP:
return MT_CIPHER_AES_CCMP;
default:
return MT_CIPHER_NONE;
Reported by FlawFinder.
drivers/net/wireless/zydas/zd1211rw/zd_mac.c
5 issues
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct zd_reg_alpha2_map {
u32 reg;
char alpha2[2];
};
static struct zd_reg_alpha2_map reg_alpha2_map[] = {
{ ZD_REGDOMAIN_FCC, "US" },
{ ZD_REGDOMAIN_IC, "CA" },
Reported by FlawFinder.
Line: 186
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int r;
struct zd_mac *mac = zd_hw_mac(hw);
struct zd_chip *chip = &mac->chip;
char alpha2[2];
u8 default_regdomain;
r = zd_chip_enable_int(chip);
if (r)
goto out;
Reported by FlawFinder.
Line: 1093
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* FIXME : could we avoid this big memcpy ? */
skb_put_data(skb, buffer, length);
memcpy(IEEE80211_SKB_RXCB(skb), &stats, sizeof(stats));
ieee80211_rx_irqsafe(hw, skb);
return 0;
}
static int zd_op_add_interface(struct ieee80211_hw *hw,
Reported by FlawFinder.
Line: 1376
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->type = NL80211_IFTYPE_UNSPECIFIED;
memcpy(mac->channels, zd_channels, sizeof(zd_channels));
memcpy(mac->rates, zd_rates, sizeof(zd_rates));
mac->band.n_bitrates = ARRAY_SIZE(zd_rates);
mac->band.bitrates = mac->rates;
mac->band.n_channels = ARRAY_SIZE(zd_channels);
mac->band.channels = mac->channels;
Reported by FlawFinder.
Line: 1377
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac->type = NL80211_IFTYPE_UNSPECIFIED;
memcpy(mac->channels, zd_channels, sizeof(zd_channels));
memcpy(mac->rates, zd_rates, sizeof(zd_rates));
mac->band.n_bitrates = ARRAY_SIZE(zd_rates);
mac->band.bitrates = mac->rates;
mac->band.n_channels = ARRAY_SIZE(zd_channels);
mac->band.channels = mac->channels;
Reported by FlawFinder.