The following issues were found
drivers/usb/misc/iowarrior.c
4 issues
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
atomic_t overflow_flag; /* signals an index 'rollover' */
int present; /* this is 1 as long as the device is connected */
int opened; /* this is 1 if the device is currently open */
char chip_serial[9]; /* the serial number string of the chip connected */
int report_size; /* number of bytes in a report */
u16 product_id;
struct usb_anchor submitted;
};
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* +1 for serial number */
offset = intr_idx * (dev->report_size + 1);
memcpy(dev->read_queue + offset, urb->transfer_buffer,
dev->report_size);
*(dev->read_queue + offset + (dev->report_size)) = dev->serial_number++;
atomic_set(&dev->intr_idx, aux_idx);
/* tell the blocking read about the new data */
Reported by FlawFinder.
Line: 567
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.report_size = dev->report_size;
/* serial number string has been read earlier 8 chars or empty string */
memcpy(info.serial, dev->chip_serial,
sizeof(dev->chip_serial));
if (cfg_descriptor == NULL) {
info.power = -1; /* no information available */
} else {
/* the MaxPower is stored in units of 2mA to make it fit into a byte-value */
Reported by FlawFinder.
Line: 849
Column: 6
CWE codes:
126
memset(dev->chip_serial, 0x00, sizeof(dev->chip_serial));
usb_string(udev, udev->descriptor.iSerialNumber, dev->chip_serial,
sizeof(dev->chip_serial));
if (strlen(dev->chip_serial) != 8)
memset(dev->chip_serial, 0x00, sizeof(dev->chip_serial));
/* Set the idle timeout to 0, if this is interface 0 */
if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) {
usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
Reported by FlawFinder.
drivers/scsi/smartpqi/smartpqi.h
4 issues
Line: 1235
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pqi_ctrl_info {
unsigned int ctrl_id;
struct pci_dev *pci_dev;
char firmware_version[32];
char serial_number[17];
char model[17];
char vendor[9];
u8 product_id;
u8 product_revision;
Reported by FlawFinder.
Line: 1236
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int ctrl_id;
struct pci_dev *pci_dev;
char firmware_version[32];
char serial_number[17];
char model[17];
char vendor[9];
u8 product_id;
u8 product_revision;
void __iomem *iomem_base;
Reported by FlawFinder.
Line: 1237
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pci_dev *pci_dev;
char firmware_version[32];
char serial_number[17];
char model[17];
char vendor[9];
u8 product_id;
u8 product_revision;
void __iomem *iomem_base;
struct pqi_ctrl_registers __iomem *registers;
Reported by FlawFinder.
Line: 1238
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char firmware_version[32];
char serial_number[17];
char model[17];
char vendor[9];
u8 product_id;
u8 product_revision;
void __iomem *iomem_base;
struct pqi_ctrl_registers __iomem *registers;
struct pqi_device_registers __iomem *pqi_registers;
Reported by FlawFinder.
drivers/staging/rtl8192u/ieee80211/rtl819x_HTProc.c
4 issues
Line: 485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pHT->ePeerHTSpecVer == HT_SPEC_VER_EWC) {
u8 EWC11NHTCap[] = {0x00, 0x90, 0x4c, 0x33}; // For 11n EWC definition, 2007.07.17, by Emily
memcpy(posHTCap, EWC11NHTCap, sizeof(EWC11NHTCap));
pCapELE = (struct ht_capability_ele *)&posHTCap[4];
} else {
pCapELE = (struct ht_capability_ele *)posHTCap;
}
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
//Supported MCS set
memcpy(pCapELE->MCS, ieee->Regdot11HTOperationalRateSet, 16);
if (pHT->IOTAction & HT_IOT_ACT_DISABLE_MCS15)
pCapELE->MCS[1] &= 0x7f;
if (pHT->IOTAction & HT_IOT_ACT_DISABLE_MCS14)
pCapELE->MCS[1] &= 0xbf;
Reported by FlawFinder.
Line: 1133
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// Save HTCap and HTInfo information Element
if (pNetwork->bssht.bdHTCapLen > 0 && pNetwork->bssht.bdHTCapLen <= sizeof(pHTInfo->PeerHTCapBuf))
memcpy(pHTInfo->PeerHTCapBuf, pNetwork->bssht.bdHTCapBuf, pNetwork->bssht.bdHTCapLen);
if (pNetwork->bssht.bdHTInfoLen > 0 && pNetwork->bssht.bdHTInfoLen <= sizeof(pHTInfo->PeerHTInfoBuf))
memcpy(pHTInfo->PeerHTInfoBuf, pNetwork->bssht.bdHTInfoBuf, pNetwork->bssht.bdHTInfoLen);
// Check whether RT to RT aggregation mode is enabled
Reported by FlawFinder.
Line: 1136
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(pHTInfo->PeerHTCapBuf, pNetwork->bssht.bdHTCapBuf, pNetwork->bssht.bdHTCapLen);
if (pNetwork->bssht.bdHTInfoLen > 0 && pNetwork->bssht.bdHTInfoLen <= sizeof(pHTInfo->PeerHTInfoBuf))
memcpy(pHTInfo->PeerHTInfoBuf, pNetwork->bssht.bdHTInfoBuf, pNetwork->bssht.bdHTInfoLen);
// Check whether RT to RT aggregation mode is enabled
if (pHTInfo->bRegRT2RTAggregation) {
pHTInfo->bCurrentRT2RTAggregation = pNetwork->bssht.bdRT2RTAggregation;
pHTInfo->bCurrentRT2RTLongSlotTime = pNetwork->bssht.bdRT2RTLongSlotTime;
Reported by FlawFinder.
drivers/spi/spi-dln2.c
4 issues
Line: 358
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int dln2_spi_copy_to_buf(u8 *dln2_buf, const u8 *src, u16 len, u8 bpw)
{
#ifdef __LITTLE_ENDIAN
memcpy(dln2_buf, src, len);
#else
if (bpw <= 8) {
memcpy(dln2_buf, src, len);
} else if (bpw <= 16) {
__le16 *d = (__le16 *)dln2_buf;
Reported by FlawFinder.
Line: 361
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dln2_buf, src, len);
#else
if (bpw <= 8) {
memcpy(dln2_buf, src, len);
} else if (bpw <= 16) {
__le16 *d = (__le16 *)dln2_buf;
u16 *s = (u16 *)src;
len = len / 2;
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static int dln2_spi_copy_from_buf(u8 *dest, const u8 *dln2_buf, u16 len, u8 bpw)
{
#ifdef __LITTLE_ENDIAN
memcpy(dest, dln2_buf, len);
#else
if (bpw <= 8) {
memcpy(dest, dln2_buf, len);
} else if (bpw <= 16) {
u16 *d = (u16 *)dest;
Reported by FlawFinder.
Line: 394
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(dest, dln2_buf, len);
#else
if (bpw <= 8) {
memcpy(dest, dln2_buf, len);
} else if (bpw <= 16) {
u16 *d = (u16 *)dest;
__le16 *s = (__le16 *)dln2_buf;
len = len / 2;
Reported by FlawFinder.
drivers/usb/gadget/function/f_uvc.c
4 issues
Line: 408
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct uvc_device *uvc = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", uvc->func.fi->group.cg_item.ci_name);
}
static DEVICE_ATTR_RO(function_name);
static int
Reported by FlawFinder.
Line: 217
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&v4l2_event, 0, sizeof(v4l2_event));
v4l2_event.type = UVC_EVENT_DATA;
uvc_event->data.length = req->actual;
memcpy(&uvc_event->data.data, req->buf, req->actual);
v4l2_event_queue(&uvc->vdev, &v4l2_event);
}
}
static int
Reported by FlawFinder.
Line: 446
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define UVC_COPY_DESCRIPTOR(mem, dst, desc) \
do { \
memcpy(mem, desc, (desc)->bLength); \
*(dst)++ = mem; \
mem += (desc)->bLength; \
} while (0);
#define UVC_COPY_DESCRIPTORS(mem, dst, src) \
Reported by FlawFinder.
Line: 455
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do { \
const struct usb_descriptor_header * const *__src; \
for (__src = src; *__src; ++__src) { \
memcpy(mem, *__src, (*__src)->bLength); \
*dst++ = mem; \
mem += (*__src)->bLength; \
} \
} while (0)
Reported by FlawFinder.
drivers/video/fbdev/c2p_planar.c
4 issues
Line: 110
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Single destination word */
first &= last;
memset(d.pixels, 0, sizeof(d));
memcpy(d.pixels+dst_idx, c, width);
c += width;
c2p_32x8(d.words);
store_planar_masked(p, dst_nextplane, bpp, d.words,
first);
p += 4;
Reported by FlawFinder.
Line: 123
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dst_idx) {
w = 32 - dst_idx;
memset(d.pixels, 0, dst_idx);
memcpy(d.pixels+dst_idx, c, w);
c += w;
c2p_32x8(d.words);
store_planar_masked(p, dst_nextplane, bpp,
d.words, first);
p += 4;
Reported by FlawFinder.
Line: 133
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Main chunk */
while (w >= 32) {
memcpy(d.pixels, c, 32);
c += 32;
c2p_32x8(d.words);
store_planar(p, dst_nextplane, bpp, d.words);
p += 4;
w -= 32;
Reported by FlawFinder.
Line: 143
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Trailing bits */
w %= 32;
if (w > 0) {
memcpy(d.pixels, c, w);
memset(d.pixels+w, 0, 32-w);
c2p_32x8(d.words);
store_planar_masked(p, dst_nextplane, bpp,
d.words, last);
}
Reported by FlawFinder.
drivers/spi/spi-omap2-mcspi.c
4 issues
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct completion dma_tx_completion;
struct completion dma_rx_completion;
char dma_rx_ch_name[14];
char dma_tx_ch_name[14];
};
/* use PIO for small transfers, avoiding DMA setup/teardown overhead and
* cache operations; better heuristics consider wordsize and bitrate.
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct completion dma_rx_completion;
char dma_rx_ch_name[14];
char dma_tx_ch_name[14];
};
/* use PIO for small transfers, avoiding DMA setup/teardown overhead and
* cache operations; better heuristics consider wordsize and bitrate.
*/
Reported by FlawFinder.
Line: 1501
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (i = 0; i < master->num_chipselect; i++) {
sprintf(mcspi->dma_channels[i].dma_rx_ch_name, "rx%d", i);
sprintf(mcspi->dma_channels[i].dma_tx_ch_name, "tx%d", i);
status = omap2_mcspi_request_dma(mcspi,
&mcspi->dma_channels[i]);
if (status == -EPROBE_DEFER)
Reported by FlawFinder.
Line: 1502
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < master->num_chipselect; i++) {
sprintf(mcspi->dma_channels[i].dma_rx_ch_name, "rx%d", i);
sprintf(mcspi->dma_channels[i].dma_tx_ch_name, "tx%d", i);
status = omap2_mcspi_request_dma(mcspi,
&mcspi->dma_channels[i]);
if (status == -EPROBE_DEFER)
goto free_master;
Reported by FlawFinder.
drivers/video/fbdev/c2p_iplan2.c
4 issues
Line: 110
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Single destination word */
first &= last;
memset(d.pixels, 0, sizeof(d));
memcpy(d.pixels+dst_idx, c, width);
c += width;
c2p_16x8(d.words);
store_iplan2_masked(p, bpp, d.words, first);
p += bpp*2;
} else {
Reported by FlawFinder.
Line: 122
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dst_idx) {
w = 16 - dst_idx;
memset(d.pixels, 0, dst_idx);
memcpy(d.pixels+dst_idx, c, w);
c += w;
c2p_16x8(d.words);
store_iplan2_masked(p, bpp, d.words, first);
p += bpp*2;
w = width-w;
Reported by FlawFinder.
Line: 131
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Main chunk */
while (w >= 16) {
memcpy(d.pixels, c, 16);
c += 16;
c2p_16x8(d.words);
store_iplan2(p, bpp, d.words);
p += bpp*2;
w -= 16;
Reported by FlawFinder.
Line: 141
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Trailing bits */
w %= 16;
if (w > 0) {
memcpy(d.pixels, c, w);
memset(d.pixels+w, 0, 16-w);
c2p_16x8(d.words);
store_iplan2_masked(p, bpp, d.words, last);
}
}
Reported by FlawFinder.
drivers/staging/rtl8192e/rtllib_crypt_wep.c
4 issues
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*pos++ = wep->key_idx << 6;
/* Copy rest of the WEP key (the secret part) */
memcpy(key + 3, wep->key, wep->key_len);
if (!tcb_desc->bHwSec) {
/* Append little-endian CRC32 and encrypt it to produce ICV */
crc = ~crc32_le(~0, pos, len);
icv = skb_put(skb, 4);
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
klen = 3 + wep->key_len;
/* Copy rest of the WEP key (the secret part) */
memcpy(key + 3, wep->key, wep->key_len);
/* Apply RC4 to data and compute CRC32 over decrypted data */
plen = skb->len - hdr_len - 8;
if (!tcb_desc->bHwSec) {
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len < 0 || len > WEP_KEY_LEN)
return -1;
memcpy(wep->key, key, len);
wep->key_len = len;
return 0;
}
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len < wep->key_len)
return -1;
memcpy(key, wep->key, wep->key_len);
return wep->key_len;
}
Reported by FlawFinder.
drivers/staging/gs_fpgaboot/gs_fpgaboot.h
4 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* the following can be read from bitstream,
* but other image format should have as well
*/
char filename[MAX_STR];
char part[MAX_STR];
char date[MAX_STR];
char time[MAX_STR];
int lendata;
u8 *fpgadata;
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* but other image format should have as well
*/
char filename[MAX_STR];
char part[MAX_STR];
char date[MAX_STR];
char time[MAX_STR];
int lendata;
u8 *fpgadata;
};
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
char filename[MAX_STR];
char part[MAX_STR];
char date[MAX_STR];
char time[MAX_STR];
int lendata;
u8 *fpgadata;
};
Reported by FlawFinder.
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char filename[MAX_STR];
char part[MAX_STR];
char date[MAX_STR];
char time[MAX_STR];
int lendata;
u8 *fpgadata;
};
Reported by FlawFinder.