The following issues were found
drivers/usb/dwc2/hcd.c
4 issues
Line: 2482
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
/* Restore urb->transfer_buffer from the end of the allocated area */
memcpy(&stored_xfer_buffer,
PTR_ALIGN(urb->transfer_buffer + urb->transfer_buffer_length,
dma_get_cache_alignment()),
sizeof(urb->transfer_buffer));
if (usb_urb_dir_in(urb)) {
Reported by FlawFinder.
Line: 2493
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
length = urb->actual_length;
memcpy(stored_xfer_buffer, urb->transfer_buffer, length);
}
kfree(urb->transfer_buffer);
urb->transfer_buffer = stored_xfer_buffer;
urb->transfer_flags &= ~URB_ALIGNED_TEMP_BUFFER;
Reported by FlawFinder.
Line: 2528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Position value of original urb->transfer_buffer pointer to the end
* of allocation for later referencing
*/
memcpy(PTR_ALIGN(kmalloc_ptr + urb->transfer_buffer_length,
dma_get_cache_alignment()),
&urb->transfer_buffer, sizeof(urb->transfer_buffer));
if (usb_urb_dir_out(urb))
memcpy(kmalloc_ptr, urb->transfer_buffer,
Reported by FlawFinder.
Line: 2533
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&urb->transfer_buffer, sizeof(urb->transfer_buffer));
if (usb_urb_dir_out(urb))
memcpy(kmalloc_ptr, urb->transfer_buffer,
urb->transfer_buffer_length);
urb->transfer_buffer = kmalloc_ptr;
urb->transfer_flags |= URB_ALIGNED_TEMP_BUFFER;
Reported by FlawFinder.
drivers/scsi/qedi/qedi_debugfs.c
4 issues
Line: 22
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct qedi_debugfs_ops *dops,
const struct file_operations *fops)
{
char host_dirname[32];
sprintf(host_dirname, "host%u", qedi->host_no);
qedi->bdf_dentry = debugfs_create_dir(host_dirname, qedi_dbg_root);
while (dops) {
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
char host_dirname[32];
sprintf(host_dirname, "host%u", qedi->host_no);
qedi->bdf_dentry = debugfs_create_dir(host_dirname, qedi_dbg_root);
while (dops) {
if (!(dops->name))
break;
Reported by FlawFinder.
Line: 128
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (*ppos)
return 0;
cnt = sprintf(buffer, "do_not_recover=%d\n", qedi_do_not_recover);
cnt = min_t(int, count, cnt - *ppos);
*ppos += cnt;
return cnt;
}
Reported by FlawFinder.
Line: 109
Column: 39
CWE codes:
126
if (!(lof->oper_str))
break;
if (!strncmp(lof->oper_str, buffer, strlen(lof->oper_str))) {
cnt = lof->oper_func(qedi_dbg);
break;
}
lof++;
Reported by FlawFinder.
drivers/thunderbolt/domain.c
4 issues
Line: 281
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (tb->security_level < ARRAY_SIZE(tb_security_names))
name = tb_security_names[tb->security_level];
return sprintf(buf, "%s\n", name);
}
static DEVICE_ATTR_RO(security);
static struct attribute *domain_attrs[] = {
&dev_attr_boot_acl.attr,
Reported by FlawFinder.
Line: 254
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
tb->security_level == TB_SECURITY_SECURE)
deauthorization = !!tb->cm_ops->disapprove_switch;
return sprintf(buf, "%d\n", deauthorization);
}
static DEVICE_ATTR_RO(deauthorization);
static ssize_t iommu_dma_protection_show(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 267
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* handled natively using IOMMU. It is enabled when IOMMU is
* enabled and ACPI DMAR table has DMAR_PLATFORM_OPT_IN set.
*/
return sprintf(buf, "%d\n",
iommu_present(&pci_bus_type) && dmar_platform_optin());
}
static DEVICE_ATTR_RO(iommu_dma_protection);
static ssize_t security_show(struct device *dev, struct device_attribute *attr,
Reported by FlawFinder.
Line: 197
Column: 16
CWE codes:
126
uuid_str = strim(str);
while ((s = strsep(&uuid_str, ",")) != NULL && i < tb->nboot_acl) {
size_t len = strlen(s);
if (len) {
if (len != UUID_STRING_LEN) {
ret = -EINVAL;
goto err_free_acl;
Reported by FlawFinder.
drivers/scsi/qedi/qedi_fw_api.c
4 issues
Line: 30
CWE codes:
476
u8 num_sges;
u32 val;
num_sges = (sgl_task_params->num_sges > SCSI_NUM_SGES_IN_CACHE) ?
SCSI_NUM_SGES_IN_CACHE : sgl_task_params->num_sges;
/* sgl params */
val = cpu_to_le32(sgl_task_params->sgl_phys_addr.lo);
ctx_sgl_params->sgl_addr.lo = val;
Reported by Cppcheck.
Line: 126
CWE codes:
476
sgl_task_params,
dif_task_params);
if (scsi_is_slow_sgl(sgl_task_params->num_sges,
sgl_task_params->small_mid_sge))
num_sges = ISCSI_WQE_NUM_SGES_SLOWIO;
else
num_sges = min(sgl_task_params->num_sges,
(u16)SCSI_NUM_SGES_SLOW_SGL_THR);
Reported by Cppcheck.
Line: 127
CWE codes:
476
dif_task_params);
if (scsi_is_slow_sgl(sgl_task_params->num_sges,
sgl_task_params->small_mid_sge))
num_sges = ISCSI_WQE_NUM_SGES_SLOWIO;
else
num_sges = min(sgl_task_params->num_sges,
(u16)SCSI_NUM_SGES_SLOW_SGL_THR);
}
Reported by Cppcheck.
Line: 130
CWE codes:
476
sgl_task_params->small_mid_sge))
num_sges = ISCSI_WQE_NUM_SGES_SLOWIO;
else
num_sges = min(sgl_task_params->num_sges,
(u16)SCSI_NUM_SGES_SLOW_SGL_THR);
}
SET_FIELD(task_params->sqe->flags, ISCSI_WQE_NUM_SGES,
num_sges);
Reported by Cppcheck.
drivers/usb/gadget/udc/aspeed-vhub/hub.c
4 issues
Line: 275
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch(desc_type) {
case USB_DT_DEVICE:
dsize = USB_DT_DEVICE_SIZE;
memcpy(ep->buf, &vhub->vhub_dev_desc, dsize);
BUILD_BUG_ON(dsize > sizeof(vhub->vhub_dev_desc));
BUILD_BUG_ON(USB_DT_DEVICE_SIZE >= AST_VHUB_EP0_MAX_PACKET);
break;
case USB_DT_CONFIG:
dsize = AST_VHUB_CONF_DESC_SIZE;
Reported by FlawFinder.
Line: 281
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case USB_DT_CONFIG:
dsize = AST_VHUB_CONF_DESC_SIZE;
memcpy(ep->buf, &vhub->vhub_conf_desc, dsize);
BUILD_BUG_ON(dsize > sizeof(vhub->vhub_conf_desc));
BUILD_BUG_ON(AST_VHUB_CONF_DESC_SIZE >= AST_VHUB_EP0_MAX_PACKET);
break;
case USB_DT_HUB:
dsize = AST_VHUB_HUB_DESC_SIZE;
Reported by FlawFinder.
Line: 287
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case USB_DT_HUB:
dsize = AST_VHUB_HUB_DESC_SIZE;
memcpy(ep->buf, &vhub->vhub_hub_desc, dsize);
BUILD_BUG_ON(dsize > sizeof(vhub->vhub_hub_desc));
BUILD_BUG_ON(AST_VHUB_HUB_DESC_SIZE >= AST_VHUB_EP0_MAX_PACKET);
break;
default:
return std_req_stall;
Reported by FlawFinder.
Line: 373
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return std_req_stall;
/* Shoot it from the EP buffer */
memcpy(ep->buf, buf, rc);
return ast_vhub_reply(ep, NULL, min_t(u16, rc, len));
}
enum std_req_rc ast_vhub_std_hub_request(struct ast_vhub_ep *ep,
struct usb_ctrlrequest *crq)
Reported by FlawFinder.
drivers/thunderbolt/ctl.c
4 issues
Line: 945
CWE codes:
476
struct cfg_read_pkg reply;
int retries = 0;
memcpy(&request.data, buffer, length * 4);
while (retries < TB_CTL_RETRIES) {
struct tb_cfg_request *req;
req = tb_cfg_request_alloc();
Reported by Cppcheck.
Line: 798
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res = parse_header(pkg, req->response_size, req->response_type,
tb_cfg_get_route(req->request));
if (!res.err)
memcpy(req->response, pkg->buffer, req->response_size);
req->result = res;
/* Always complete when first response is received */
return true;
Reported by FlawFinder.
Line: 911
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
res.response_port = reply.addr.port;
res.err = check_config_address(reply.addr, space, offset, length);
if (!res.err)
memcpy(buffer, &reply.data, 4 * length);
return res;
}
/**
* tb_cfg_write() - write from buffer into config space
Reported by FlawFinder.
Line: 945
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cfg_read_pkg reply;
int retries = 0;
memcpy(&request.data, buffer, length * 4);
while (retries < TB_CTL_RETRIES) {
struct tb_cfg_request *req;
req = tb_cfg_request_alloc();
Reported by FlawFinder.
drivers/staging/rtl8188eu/include/rtw_event.h
4 issues
Line: 55
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct stassoc_event {
unsigned char macaddr[6];
unsigned char rsvd[2];
int cam_id;
};
struct stadel_event {
Reported by FlawFinder.
Line: 56
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct stassoc_event {
unsigned char macaddr[6];
unsigned char rsvd[2];
int cam_id;
};
struct stadel_event {
unsigned char macaddr[6];
Reported by FlawFinder.
Line: 61
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct stadel_event {
unsigned char macaddr[6];
unsigned char rsvd[2]; /* for reason */
int mac_id;
};
struct fwevent {
Reported by FlawFinder.
Line: 62
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct stadel_event {
unsigned char macaddr[6];
unsigned char rsvd[2]; /* for reason */
int mac_id;
};
struct fwevent {
u32 parmsize;
Reported by FlawFinder.
drivers/thermal/thermal_core.h
4 issues
Line: 59
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct thermal_attr {
struct device_attribute attr;
char name[THERMAL_NAME_LENGTH];
};
static inline bool cdev_is_power_actor(struct thermal_cooling_device *cdev)
{
return cdev->ops->get_requested_power && cdev->ops->state2power &&
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct thermal_instance {
int id;
char name[THERMAL_NAME_LENGTH];
struct thermal_zone_device *tz;
struct thermal_cooling_device *cdev;
int trip;
bool initialized;
unsigned long upper; /* Highest cooling state for this trip point */
Reported by FlawFinder.
Line: 107
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long upper; /* Highest cooling state for this trip point */
unsigned long lower; /* Lowest cooling state for this trip point */
unsigned long target; /* expected cooling state */
char attr_name[THERMAL_NAME_LENGTH];
struct device_attribute attr;
char weight_attr_name[THERMAL_NAME_LENGTH];
struct device_attribute weight_attr;
struct list_head tz_node; /* node in tz->thermal_instances */
struct list_head cdev_node; /* node in cdev->thermal_instances */
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long target; /* expected cooling state */
char attr_name[THERMAL_NAME_LENGTH];
struct device_attribute attr;
char weight_attr_name[THERMAL_NAME_LENGTH];
struct device_attribute weight_attr;
struct list_head tz_node; /* node in tz->thermal_instances */
struct list_head cdev_node; /* node in cdev->thermal_instances */
unsigned int weight; /* The weight of the cooling device */
};
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_ioctl_set.c
4 issues
Line: 82
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
&(padapter->registrypriv.dev_network);
pmlmepriv->fw_state = WIFI_ADHOC_MASTER_STATE;
pibss = padapter->registrypriv.dev_network.MacAddress;
memcpy(&pdev_network->Ssid,
&pmlmepriv->assoc_ssid,
sizeof(struct ndis_802_11_ssid));
r8712_update_registrypriv_dev_network(padapter);
r8712_generate_random_ibss(pibss);
if (r8712_createbss_cmd(padapter))
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
}
memcpy(&pmlmepriv->assoc_bssid, bssid, ETH_ALEN);
pmlmepriv->assoc_by_bssid = true;
status = do_join(padapter);
goto done;
_Abort_Set_BSSID:
done:
Reported by FlawFinder.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto _Abort_Set_SSID;
if (!validate_ssid(ssid))
goto _Abort_Set_SSID;
memcpy(&pmlmepriv->assoc_ssid, ssid, sizeof(struct ndis_802_11_ssid));
pmlmepriv->assoc_by_bssid = false;
do_join(padapter);
goto done;
_Abort_Set_SSID:
done:
Reported by FlawFinder.
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
psecuritypriv->PrivacyAlgrthm = _NO_PRIVACY_;
break;
}
memcpy(psecuritypriv->DefKey[keyid].skey, &wep->KeyMaterial,
wep->KeyLength);
psecuritypriv->DefKeylen[keyid] = wep->KeyLength;
psecuritypriv->PrivacyKeyIndex = keyid;
return r8712_set_key(padapter, psecuritypriv, keyid);
}
Reported by FlawFinder.
drivers/scsi/mvsas/mv_94xx.c
4 issues
Line: 818
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
CONFIG_ID_FRAME0 + i * 4);
id_frame[i] = cpu_to_le32(mvs_read_port_cfg_data(mvi, port_id));
}
memcpy(id, id_frame, 28);
}
static void mvs_94xx_get_att_identify_frame(struct mvs_info *mvi, int port_id,
struct sas_identify_frame *id)
{
Reported by FlawFinder.
Line: 834
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mv_dprintk("94xx phy %d atta frame %d %x.\n",
port_id + mvi->id * mvi->chip->n_phy, i, id_frame[i]);
}
memcpy(id, id_frame, 28);
}
static u32 mvs_94xx_make_dev_info(struct sas_identify_frame *id)
{
u32 att_dev_info = 0;
Reported by FlawFinder.
Line: 950
Column: 6
CWE codes:
120
20
u32 dwTmp;
dwTmp = ((u32)cmd << 8) | ((u32)length << 4);
if (read)
dwTmp |= SPI_CTRL_READ_94XX;
if (addr != MV_MAX_U32) {
mw32(SPI_ADDR_REG_94XX, (addr & 0x0003FFFFL));
dwTmp |= SPI_ADDR_VLD_94XX;
Reported by FlawFinder.