The following issues were found
drivers/usb/gadget/udc/mv_u3d_core.c
4 issues
Line: 1303
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mv_u3d_eps_init(struct mv_u3d *u3d)
{
struct mv_u3d_ep *ep;
char name[14];
int i;
/* initialize ep0, ep0 in/out use eps[1] */
ep = &u3d->eps[1];
ep->u3d = u3d;
Reported by FlawFinder.
Line: 1588
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
epcontext = &u3d->ep_context[ep_num * 2 + MV_U3D_EP_DIR_IN];
/* Copy the setup packet to local buffer */
memcpy(buffer_ptr, (u8 *) &epcontext->setup_buffer, 8);
}
static void mv_u3d_irq_process_setup(struct mv_u3d *u3d)
{
u32 tmp, i;
Reported by FlawFinder.
Line: 1309
Column: 2
CWE codes:
120
/* initialize ep0, ep0 in/out use eps[1] */
ep = &u3d->eps[1];
ep->u3d = u3d;
strncpy(ep->name, "ep0", sizeof(ep->name));
ep->ep.name = ep->name;
ep->ep.ops = &mv_u3d_ep_ops;
ep->wedge = 0;
usb_ep_set_maxpacket_limit(&ep->ep, MV_U3D_EP0_MAX_PKT_SIZE);
ep->ep.caps.type_control = true;
Reported by FlawFinder.
Line: 1339
Column: 3
CWE codes:
120
ep->ep.caps.dir_out = true;
}
ep->u3d = u3d;
strncpy(ep->name, name, sizeof(ep->name));
ep->ep.name = ep->name;
ep->ep.caps.type_iso = true;
ep->ep.caps.type_bulk = true;
ep->ep.caps.type_int = true;
Reported by FlawFinder.
drivers/scsi/mpt3sas/mpt3sas_trigger_diag.c
4 issues
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mpi_reply->Event = cpu_to_le16(MPI3_EVENT_DIAGNOSTIC_TRIGGER_FIRED);
event_data_sz = (sizeof(struct SL_WH_TRIGGERS_EVENT_DATA_T) + 4) / 4;
mpi_reply->EventDataLength = cpu_to_le16(event_data_sz);
memcpy(&mpi_reply->EventData, event_data,
sizeof(struct SL_WH_TRIGGERS_EVENT_DATA_T));
dTriggerDiagPrintk(ioc,
ioc_info(ioc, "%s: add to driver event log\n",
__func__));
mpt3sas_ctl_add_to_event_log(ioc, mpi_reply);
Reported by FlawFinder.
Line: 140
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ioc->htb_rel.trigger_type = event_data->trigger_type;
switch (event_data->trigger_type) {
case MPT3SAS_TRIGGER_SCSI:
memcpy(&ioc->htb_rel.trigger_info_dwords,
&event_data->u.scsi,
sizeof(struct SL_WH_SCSI_TRIGGER_T));
break;
case MPT3SAS_TRIGGER_MPI:
memcpy(&ioc->htb_rel.trigger_info_dwords,
Reported by FlawFinder.
Line: 145
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(struct SL_WH_SCSI_TRIGGER_T));
break;
case MPT3SAS_TRIGGER_MPI:
memcpy(&ioc->htb_rel.trigger_info_dwords,
&event_data->u.mpi,
sizeof(struct SL_WH_MPI_TRIGGER_T));
break;
case MPT3SAS_TRIGGER_MASTER:
ioc->htb_rel.trigger_info_dwords[0] =
Reported by FlawFinder.
Line: 154
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
event_data->u.master.MasterData;
break;
case MPT3SAS_TRIGGER_EVENT:
memcpy(&ioc->htb_rel.trigger_info_dwords,
&event_data->u.event,
sizeof(struct SL_WH_EVENT_TRIGGER_T));
break;
default:
ioc_err(ioc, "%d - Is not a valid Trigger type\n",
Reported by FlawFinder.
drivers/usb/gadget/udc/mv_udc_core.c
4 issues
Line: 1238
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int eps_init(struct mv_udc *udc)
{
struct mv_ep *ep;
char name[14];
int i;
/* initialize ep0 */
ep = &udc->eps[0];
ep->udc = udc;
Reported by FlawFinder.
Line: 1774
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writel(temp | USBCMD_SETUP_TRIPWIRE_SET, &udc->op_regs->usbcmd);
/* Copy the setup packet to local buffer */
memcpy(buffer_ptr, (u8 *) dqh->setup_buffer, 8);
} while (!(readl(&udc->op_regs->usbcmd) & USBCMD_SETUP_TRIPWIRE_SET));
/* Clear Setup Tripwire */
temp = readl(&udc->op_regs->usbcmd);
writel(temp & ~USBCMD_SETUP_TRIPWIRE_SET, &udc->op_regs->usbcmd);
Reported by FlawFinder.
Line: 1244
Column: 2
CWE codes:
120
/* initialize ep0 */
ep = &udc->eps[0];
ep->udc = udc;
strncpy(ep->name, "ep0", sizeof(ep->name));
ep->ep.name = ep->name;
ep->ep.ops = &mv_ep_ops;
ep->wedge = 0;
ep->stopped = 0;
usb_ep_set_maxpacket_limit(&ep->ep, EP0_MAX_PKT_SIZE);
Reported by FlawFinder.
Line: 1272
Column: 3
CWE codes:
120
ep->ep.caps.dir_out = true;
}
ep->udc = udc;
strncpy(ep->name, name, sizeof(ep->name));
ep->ep.name = ep->name;
ep->ep.caps.type_iso = true;
ep->ep.caps.type_bulk = true;
ep->ep.caps.type_int = true;
Reported by FlawFinder.
drivers/usb/serial/usb-serial.c
4 issues
Line: 271
Column: 32
CWE codes:
362
if (serial->disconnected)
retval = -ENODEV;
else
retval = port->serial->type->open(tty, port);
mutex_unlock(&serial->disc_mutex);
if (retval < 0)
retval = usb_translate_errors(retval);
Reported by FlawFinder.
Line: 548
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct usb_serial *serial;
struct usb_serial_port *port;
int i;
char tmp[40];
seq_puts(m, "usbserinfo:1.0 driver:2.0\n");
for (i = 0; i < USB_SERIAL_TTY_MINORS; ++i) {
port = usb_serial_port_get_by_minor(i);
if (port == NULL)
Reported by FlawFinder.
Line: 778
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct usb_serial_port *port = to_usb_serial_port(dev);
return sprintf(buf, "%u\n", port->port_number);
}
static DEVICE_ATTR_RO(port_number);
static struct attribute *usb_serial_port_attrs[] = {
&dev_attr_port_number.attr,
Reported by FlawFinder.
Line: 1402
Column: 33
CWE codes:
362
static void usb_serial_operations_init(struct usb_serial_driver *device)
{
set_to_generic_if_null(device, open);
set_to_generic_if_null(device, write);
set_to_generic_if_null(device, close);
set_to_generic_if_null(device, write_room);
set_to_generic_if_null(device, chars_in_buffer);
if (device->tx_empty)
Reported by FlawFinder.
drivers/thermal/intel/int340x_thermal/acpi_thermal_rel.h
4 issues
Line: 48
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* for usrspace */
union art_object {
struct {
char source_device[8]; /* ACPI single name */
char target_device[8]; /* ACPI single name */
u64 weight;
u64 ac0_max_level;
u64 ac1_max_level;
u64 ac2_max_level;
Reported by FlawFinder.
Line: 49
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union art_object {
struct {
char source_device[8]; /* ACPI single name */
char target_device[8]; /* ACPI single name */
u64 weight;
u64 ac0_max_level;
u64 ac1_max_level;
u64 ac2_max_level;
u64 ac3_max_level;
Reported by FlawFinder.
Line: 67
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union trt_object {
struct {
char source_device[8]; /* ACPI single name */
char target_device[8]; /* ACPI single name */
u64 influence;
u64 sample_period;
u64 reserved[4];
};
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
union trt_object {
struct {
char source_device[8]; /* ACPI single name */
char target_device[8]; /* ACPI single name */
u64 influence;
u64 sample_period;
u64 reserved[4];
};
u64 __data[8];
Reported by FlawFinder.
drivers/staging/rtl8712/rtl871x_cmd.h
4 issues
Line: 660
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct setprobereqextraie_parm {
unsigned char e_id;
unsigned char ie_len;
unsigned char ie[0];
};
struct setassocreqextraie_parm {
unsigned char e_id;
unsigned char ie_len;
Reported by FlawFinder.
Line: 666
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct setassocreqextraie_parm {
unsigned char e_id;
unsigned char ie_len;
unsigned char ie[0];
};
struct setproberspextraie_parm {
unsigned char e_id;
unsigned char ie_len;
Reported by FlawFinder.
Line: 672
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct setproberspextraie_parm {
unsigned char e_id;
unsigned char ie_len;
unsigned char ie[0];
};
struct setassocrspextraie_parm {
unsigned char e_id;
unsigned char ie_len;
Reported by FlawFinder.
Line: 678
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct setassocrspextraie_parm {
unsigned char e_id;
unsigned char ie_len;
unsigned char ie[0];
};
struct addBaReq_parm {
unsigned int tid;
};
Reported by FlawFinder.
drivers/tty/serial/amba-pl011.c
4 issues
Line: 267
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int fifosize; /* vendor-specific */
unsigned int old_cr; /* state during shutdown */
unsigned int fixed_baud; /* vendor-set fixed baud rate */
char type[12];
#ifdef CONFIG_DMA_ENGINE
/* DMA stuff */
bool using_tx_dma;
bool using_rx_dma;
struct pl011_dmarx_data dmarx;
Reported by FlawFinder.
Line: 628
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
count = PL011_DMA_BUFFER_SIZE;
if (xmit->tail < xmit->head)
memcpy(&dmatx->buf[0], &xmit->buf[xmit->tail], count);
else {
size_t first = UART_XMIT_SIZE - xmit->tail;
size_t second;
if (first > count)
Reported by FlawFinder.
Line: 637
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
first = count;
second = count - first;
memcpy(&dmatx->buf[0], &xmit->buf[xmit->tail], first);
if (second)
memcpy(&dmatx->buf[first], &xmit->buf[0], second);
}
dmatx->sg.length = count;
Reported by FlawFinder.
Line: 639
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&dmatx->buf[0], &xmit->buf[xmit->tail], first);
if (second)
memcpy(&dmatx->buf[first], &xmit->buf[0], second);
}
dmatx->sg.length = count;
if (dma_map_sg(dma_dev->dev, &dmatx->sg, 1, DMA_TO_DEVICE) != 1) {
Reported by FlawFinder.
drivers/staging/media/av7110/av7110_v4l.c
4 issues
Line: 240
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
adswitch = 1;
source = SAA7146_HPS_SOURCE_PORT_B;
sync = SAA7146_HPS_SYNC_PORT_B;
memcpy(standard, analog_standard, sizeof(struct saa7146_standard) * 2);
switch (av7110->current_input) {
case 1:
dprintk(1, "switching SAA7113 to Analog Tuner Input\n");
msp_writereg(av7110, MSP_WR_DSP, 0x0008, 0x0000); // loudspeaker source
Reported by FlawFinder.
Line: 279
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
adswitch = 0;
source = SAA7146_HPS_SOURCE_PORT_A;
sync = SAA7146_HPS_SYNC_PORT_A;
memcpy(standard, dvb_standard, sizeof(struct saa7146_standard) * 2);
dprintk(1, "switching DVB mode\n");
msp_writereg(av7110, MSP_WR_DSP, 0x0008, 0x0220); // loudspeaker source
msp_writereg(av7110, MSP_WR_DSP, 0x0009, 0x0220); // headphone source
msp_writereg(av7110, MSP_WR_DSP, 0x000a, 0x0220); // SCART 1 source
msp_writereg(av7110, MSP_WR_DSP, 0x000e, 0x3000); // FM matrix, mono
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(i, &inputs[i->index], sizeof(struct v4l2_input));
return 0;
}
static int vidioc_g_input(struct file *file, void *fh, unsigned int *input)
Reported by FlawFinder.
Line: 782
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msp_writereg(av7110, MSP_WR_DEM, 0x0056, 0); // LOAD_REG 1/2
}
memcpy(standard, dvb_standard, sizeof(struct saa7146_standard) * 2);
/* set dd1 stream a & b */
saa7146_write(av7110->dev, DD1_STREAM_B, 0x00000000);
saa7146_write(av7110->dev, DD1_INIT, 0x03000700);
saa7146_write(av7110->dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26));
Reported by FlawFinder.
arch/s390/mm/maccess.c
4 issues
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static notrace long s390_kernel_write_odd(void *dst, const void *src, size_t size)
{
unsigned long aligned, offset, count;
char tmp[8];
aligned = (unsigned long) dst & ~7UL;
offset = (unsigned long) dst & 7UL;
size = min(8UL - offset, size);
count = size - 1;
Reported by FlawFinder.
Line: 66
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&s390_kernel_write_lock, flags);
if (!(flags & PSW_MASK_DAT)) {
memcpy(dst, src, size);
} else {
while (size) {
copied = s390_kernel_write_odd(tmp, src, size);
tmp += copied;
src += copied;
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (prefix) {
local_mcck_disable();
set_prefix(0);
memcpy(dest, src, count);
set_prefix(prefix);
local_mcck_enable();
} else {
memcpy(dest, src, count);
}
Reported by FlawFinder.
Line: 169
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_prefix(prefix);
local_mcck_enable();
} else {
memcpy(dest, src, count);
}
__ctl_load(cr0, 0, 0);
arch_local_irq_restore(flags);
}
Reported by FlawFinder.
arch/arm/vdso/vdsomunge.c
4 issues
Line: 90
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
failed = 1;
fprintf(stderr, "%s: ", argv0);
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
exit(EXIT_FAILURE);
}
static void cleanup(void)
Reported by FlawFinder.
Line: 138
Column: 9
CWE codes:
362
infile = argv[1];
outfile = argv[2];
infd = open(infile, O_RDONLY);
if (infd < 0)
fail("Cannot open %s: %s\n", infile, strerror(errno));
if (fstat(infd, &stat) != 0)
fail("Failed stat for %s: %s\n", infile, strerror(errno));
Reported by FlawFinder.
Line: 179
Column: 10
CWE codes:
362
clear_soft_float = !!(e_flags & EF_ARM_ABI_FLOAT_SOFT);
outfd = open(outfile, O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
if (outfd < 0)
fail("Cannot open %s: %s\n", outfile, strerror(errno));
if (ftruncate(outfd, stat.st_size) != 0)
fail("Cannot truncate %s: %s\n", outfile, strerror(errno));
Reported by FlawFinder.
Line: 193
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
close(outfd);
memcpy(outbuf, inbuf, stat.st_size);
if (clear_soft_float) {
Elf32_Ehdr *outhdr;
outhdr = outbuf;
Reported by FlawFinder.