The following issues were found
drivers/usb/early/ehci-dbgp.c
4 issues
Line: 911
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void early_dbgp_write(struct console *con, const char *str, u32 n)
{
int chunk;
char buf[DBGP_MAX_PACKET];
int use_cr = 0;
u32 cmd, ctrl;
int reset_run = 0;
if (!ehci_debug || dbgp_not_safe)
Reported by FlawFinder.
Line: 1005
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_KGDB
static char kgdbdbgp_buf[DBGP_MAX_PACKET];
static int kgdbdbgp_buf_sz;
static int kgdbdbgp_buf_idx;
static int kgdbdbgp_loop_cnt = DBGP_LOOPS;
static int kgdbdbgp_read_char(void)
Reported by FlawFinder.
Line: 329
Column: 6
CWE codes:
120
20
{
u32 pids, addr, ctrl;
struct usb_ctrlrequest req;
int read;
int ret;
read = (requesttype & USB_DIR_IN) != 0;
if (size > (read ? DBGP_MAX_PACKET : 0))
return -1;
Reported by FlawFinder.
Line: 333
Column: 14
CWE codes:
120
20
int ret;
read = (requesttype & USB_DIR_IN) != 0;
if (size > (read ? DBGP_MAX_PACKET : 0))
return -1;
/* Compute the control message */
req.bRequestType = requesttype;
req.bRequest = request;
Reported by FlawFinder.
drivers/usb/core/file.c
4 issues
Line: 202
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
/* create a usb class device for this usb interface */
snprintf(name, sizeof(name), class_driver->name, minor - minor_base);
intf->usb_dev = device_create(usb_class->class, &intf->dev,
MKDEV(USB_MAJOR, minor), class_driver,
"%s", kbasename(name));
if (IS_ERR(intf->usb_dev)) {
usb_minors[minor] = NULL;
Reported by FlawFinder.
Line: 47
Column: 18
CWE codes:
362
replace_fops(file, new_fops);
/* Curiouser and curiouser... NULL ->open() as "no device" ? */
if (file->f_op->open)
err = file->f_op->open(inode, file);
done:
up_read(&minor_rwsem);
return err;
}
Reported by FlawFinder.
Line: 48
Column: 21
CWE codes:
362
replace_fops(file, new_fops);
/* Curiouser and curiouser... NULL ->open() as "no device" ? */
if (file->f_op->open)
err = file->f_op->open(inode, file);
done:
up_read(&minor_rwsem);
return err;
}
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int retval;
int minor_base = class_driver->minor_base;
int minor;
char name[20];
#ifdef CONFIG_USB_DYNAMIC_MINORS
/*
* We don't care what the device tries to start at, we want to start
* at zero to pack the devices into the smallest available space with
Reported by FlawFinder.
drivers/tty/nozomi.c
4 issues
Line: 74
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DUMP(buf__, len__) \
do { \
char tbuf[TMP_BUF_MAX] = {0}; \
if (len__ > 1) { \
u32 data_len = min_t(u32, len__, TMP_BUF_MAX); \
strscpy(tbuf, buf__, data_len); \
if (tbuf[data_len - 2] == '\r') \
tbuf[data_len - 2] = 'r'; \
Reported by FlawFinder.
Line: 825
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef DEBUG
static char *interrupt2str(u16 interrupt)
{
static char buf[TMP_BUF_MAX];
char *p = buf;
if (interrupt & MDM_DL1)
p += scnprintf(p, TMP_BUF_MAX, "MDM_DL1 ");
if (interrupt & MDM_DL2)
Reported by FlawFinder.
Line: 1272
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct nozomi *dc = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", dc->card_type);
}
static DEVICE_ATTR_RO(card_type);
static ssize_t open_ttys_show(struct device *dev, struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
Line: 1281
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
const struct nozomi *dc = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", dc->open_ttys);
}
static DEVICE_ATTR_RO(open_ttys);
static void make_sysfs_files(struct nozomi *dc)
{
Reported by FlawFinder.
drivers/staging/greybus/fw-management.c
4 issues
Line: 123
Column: 2
CWE codes:
120
fw_info->major = le16_to_cpu(response.major);
fw_info->minor = le16_to_cpu(response.minor);
strncpy(fw_info->firmware_tag, response.firmware_tag,
GB_FIRMWARE_TAG_MAX_SIZE);
/*
* The firmware-tag should be NULL terminated, otherwise throw error but
* don't fail.
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
120
}
request.load_method = load_method;
strncpy(request.firmware_tag, tag, GB_FIRMWARE_TAG_MAX_SIZE);
/*
* The firmware-tag should be NULL terminated, otherwise throw error and
* fail.
*/
Reported by FlawFinder.
Line: 250
Column: 2
CWE codes:
120
struct gb_fw_mgmt_backend_fw_version_response response;
int ret;
strncpy(request.firmware_tag, fw_info->firmware_tag,
GB_FIRMWARE_TAG_MAX_SIZE);
/*
* The firmware-tag should be NULL terminated, otherwise throw error and
* fail.
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
120
struct gb_fw_mgmt_backend_fw_update_request request;
int ret;
strncpy(request.firmware_tag, tag, GB_FIRMWARE_TAG_MAX_SIZE);
/*
* The firmware-tag should be NULL terminated, otherwise throw error and
* fail.
*/
Reported by FlawFinder.
drivers/usb/core/message.c
4 issues
Line: 56
CWE codes:
562
int retval;
init_completion(&ctx.done);
urb->context = &ctx;
urb->actual_length = 0;
retval = usb_submit_urb(urb, GFP_NOIO);
if (unlikely(retval))
goto out;
Reported by Cppcheck.
Line: 286
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto exit;
if (ret == size) {
memcpy(driver_data, data, size);
ret = 0;
} else {
ret = -EREMOTEIO;
}
Reported by FlawFinder.
Line: 1034
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
smallbuf = kmalloc(++len, GFP_NOIO);
if (!smallbuf)
return buf;
memcpy(smallbuf, buf, len);
}
kfree(buf);
}
return smallbuf;
}
Reported by FlawFinder.
Line: 1073
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = usb_get_descriptor(dev, USB_DT_DEVICE, 0, desc, size);
if (ret >= 0)
memcpy(&dev->descriptor, desc, size);
kfree(desc);
return ret;
}
/*
Reported by FlawFinder.
drivers/scsi/pm8001/pm8001_init.c
4 issues
Line: 532
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pm8001_dbg(pm8001_ha, FAIL,
"Setting link rate to default value\n");
}
sprintf(pm8001_ha->name, "%s%d", DRV_NAME, pm8001_ha->id);
/* IOMB size is 128 for 8088/89 controllers */
if (pm8001_ha->chip_id != chip_8001)
pm8001_ha->iomb_size = IOMB_SIZE_SPCV;
else
pm8001_ha->iomb_size = IOMB_SIZE_SPC;
Reported by FlawFinder.
Line: 723
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pm8001_ha->sas_addr[j] =
payload.func_specific[0x804 + i];
}
memcpy(sas_add, pm8001_ha->sas_addr, SAS_ADDR_SIZE);
for (i = 0; i < pm8001_ha->chip->n_phy; i++) {
if (i && ((i % 4) == 0))
sas_add[7] = sas_add[7] + 4;
memcpy(&pm8001_ha->phy[i].dev_sas_addr,
sas_add, SAS_ADDR_SIZE);
Reported by FlawFinder.
Line: 727
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < pm8001_ha->chip->n_phy; i++) {
if (i && ((i % 4) == 0))
sas_add[7] = sas_add[7] + 4;
memcpy(&pm8001_ha->phy[i].dev_sas_addr,
sas_add, SAS_ADDR_SIZE);
pm8001_dbg(pm8001_ha, INIT, "phy %d sas_addr = %016llx\n", i,
pm8001_ha->phy[i].dev_sas_addr);
}
kfree(payload.func_specific);
Reported by FlawFinder.
Line: 740
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cpu_to_be64((u64)
(*(u64 *)&pm8001_ha->phy[i].dev_sas_addr));
}
memcpy(pm8001_ha->sas_addr, &pm8001_ha->phy[0].dev_sas_addr,
SAS_ADDR_SIZE);
#endif
}
/*
Reported by FlawFinder.
drivers/tty/hvc/hvsi_lib.c
4 issues
Line: 203
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Consume existing data packet */
if (pv->inbuf_pktlen) {
unsigned int l = min(count, (int)pv->inbuf_pktlen);
memcpy(&buf[read], &pv->inbuf[pv->inbuf_cur], l);
pv->inbuf_cur += l;
pv->inbuf_pktlen -= l;
count -= l;
read += l;
}
Reported by FlawFinder.
Line: 241
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dp.hdr.type = VS_DATA_PACKET_HEADER;
dp.hdr.len = adjcount + sizeof(struct hvsi_header);
memcpy(dp.data, buf, adjcount);
rc = hvsi_send_packet(pv, &dp.hdr);
if (rc <= 0)
return rc;
return adjcount;
}
Reported by FlawFinder.
Line: 203
Column: 16
CWE codes:
120
20
/* Consume existing data packet */
if (pv->inbuf_pktlen) {
unsigned int l = min(count, (int)pv->inbuf_pktlen);
memcpy(&buf[read], &pv->inbuf[pv->inbuf_cur], l);
pv->inbuf_cur += l;
pv->inbuf_pktlen -= l;
count -= l;
read += l;
}
Reported by FlawFinder.
Line: 228
Column: 9
CWE codes:
120
20
pr_devel("HVSI@%x: returning -EPIPE\n", pv->termno);
return -EPIPE;
}
return read;
}
int hvsilib_put_chars(struct hvsi_priv *pv, const char *buf, int count)
{
struct hvsi_data dp;
Reported by FlawFinder.
drivers/tty/hvc/hvsi.c
4 issues
Line: 375
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* overflow and send it later
*/
pr_debug("%s: deferring overflow\n", __func__);
memcpy(hp->throttle_buf, data + TTY_THRESHOLD_THROTTLE, overflow);
hp->n_throttle = overflow;
}
return true;
}
Reported by FlawFinder.
Line: 674
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet.hdr.type = VS_DATA_PACKET_HEADER;
packet.hdr.seqno = cpu_to_be16(atomic_inc_return(&hp->seqno));
packet.hdr.len = count + sizeof(struct hvsi_header);
memcpy(&packet.data, buf, count);
ret = hvc_put_chars(hp->vtermno, (char *)&packet, packet.hdr.len);
if (ret == packet.hdr.len) {
/* return the number of chars written, not the packet length */
return count;
Reported by FlawFinder.
Line: 935
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int chunksize = min_t(int, count, hvsi_write_room(tty));
BUG_ON(hp->n_outbuf < 0);
memcpy(hp->outbuf + hp->n_outbuf, source, chunksize);
hp->n_outbuf += chunksize;
total += chunksize;
source += chunksize;
count -= chunksize;
Reported by FlawFinder.
Line: 1087
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int count)
{
struct hvsi_struct *hp = &hvsi_ports[console->index];
char c[HVSI_MAX_OUTGOING_DATA] __ALIGNED__;
unsigned int i = 0, n = 0;
int ret, donecr = 0;
mb();
if (!is_open(hp))
Reported by FlawFinder.
drivers/staging/rtl8712/wlan_bssdef.h
4 issues
Line: 71
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct wlan_bssid_ex {
u32 Length;
unsigned char MacAddress[6];
u8 Reserved[2];
struct ndis_802_11_ssid Ssid;
__le32 Privacy;
s32 Rssi;
enum NDIS_802_11_NETWORK_TYPE NetworkTypeInUse;
Reported by FlawFinder.
Line: 122
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct NDIS_802_11_AI_REQFI {
u16 Capabilities;
u16 ListenInterval;
unsigned char CurrentAPAddress[6];
};
struct NDIS_802_11_AI_RESFI {
u16 Capabilities;
u16 StatusCode;
Reported by FlawFinder.
Line: 148
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 Length; /* Length of this structure */
u32 KeyIndex;
u32 KeyLength; /* length of key in bytes */
unsigned char BSSID[6];
unsigned long long KeyRSC;
u8 KeyMaterial[32]; /* variable length */
};
struct NDIS_802_11_REMOVE_KEY {
Reported by FlawFinder.
Line: 156
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct NDIS_802_11_REMOVE_KEY {
u32 Length; /* Length of this structure */
u32 KeyIndex;
unsigned char BSSID[6];
};
struct NDIS_802_11_WEP {
u32 Length; /* Length of this structure */
u32 KeyIndex; /* 0 is the per-client key,
Reported by FlawFinder.
drivers/scsi/stex.c
4 issues
Line: 333
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct st_ccb *wait_ccb;
__le32 *scratch;
char work_q_name[20];
struct workqueue_struct *work_q;
struct work_struct reset_work;
wait_queue_head_t reset_waitq;
unsigned int mu_status;
unsigned int cardtype;
Reported by FlawFinder.
Line: 617
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
switch (cmd->cmnd[0]) {
case MODE_SENSE_10:
{
static char ms10_caching_page[12] =
{ 0, 0x12, 0, 0, 0, 0, 0, 0, 0x8, 0xa, 0x4, 0 };
unsigned char page;
page = cmd->cmnd[2] & 0x3f;
if (page == 0x8 || page == 0x3f) {
Reported by FlawFinder.
Line: 704
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
req->target = id;
/* cdb */
memcpy(req->cdb, cmd->cmnd, STEX_CDB_LENGTH);
if (cmd->sc_data_direction == DMA_FROM_DEVICE)
req->data_dir = MSG_DATA_DIR_IN;
else if (cmd->sc_data_direction == DMA_TO_DEVICE)
req->data_dir = MSG_DATA_DIR_OUT;
Reported by FlawFinder.
Line: 775
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (resp->scsi_status != SAM_STAT_GOOD) {
if (ccb->sense_buffer != NULL)
memcpy(ccb->sense_buffer, resp->variable,
min(variable, ccb->sense_bufflen));
return;
}
if (ccb->cmd == NULL)
Reported by FlawFinder.