The following issues were found
drivers/pinctrl/bcm/pinctrl-ns.c
4 issues
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOENT;
}
memcpy(pctldesc, &ns_pinctrl_desc, sizeof(*pctldesc));
/* Set pinctrl properties */
pctldesc->pins = devm_kcalloc(dev, ARRAY_SIZE(ns_pinctrl_pins),
sizeof(struct pinctrl_pin_desc),
Reported by FlawFinder.
Line: 322
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int chipsets = (uintptr_t)src->drv_data;
if (chipsets & ns_pinctrl->chipset_flag) {
memcpy(pin++, src, sizeof(*src));
pctldesc->npins++;
}
}
ns_pinctrl->groups = devm_kcalloc(dev, ARRAY_SIZE(ns_pinctrl_groups),
Reported by FlawFinder.
Line: 337
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct ns_pinctrl_group *src = &ns_pinctrl_groups[i];
if (src->chipsets & ns_pinctrl->chipset_flag) {
memcpy(group++, src, sizeof(*src));
ns_pinctrl->num_groups++;
}
}
ns_pinctrl->functions = devm_kcalloc(dev,
Reported by FlawFinder.
Line: 353
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct ns_pinctrl_function *src = &ns_pinctrl_functions[i];
if (src->chipsets & ns_pinctrl->chipset_flag) {
memcpy(function++, src, sizeof(*src));
ns_pinctrl->num_functions++;
}
}
/* Register */
Reported by FlawFinder.
drivers/net/wireless/marvell/mwifiex/cmdevt.c
4 issues
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct mwifiex_ds_misc_cmd *pcmd_ptr)
{
/* Copy the HOST command to command buffer */
memcpy(cmd, pcmd_ptr->cmd, pcmd_ptr->len);
mwifiex_dbg(priv->adapter, CMD,
"cmd: host cmd size = %d\n", pcmd_ptr->len);
return 0;
}
Reported by FlawFinder.
Line: 351
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_put(sleep_cfm_tmp, sizeof(struct mwifiex_opt_sleep_confirm)
+ MWIFIEX_TYPE_LEN);
put_unaligned_le32(MWIFIEX_USB_TYPE_CMD, sleep_cfm_tmp->data);
memcpy(sleep_cfm_tmp->data + MWIFIEX_TYPE_LEN,
adapter->sleep_cfm->data,
sizeof(struct mwifiex_opt_sleep_confirm));
ret = adapter->if_ops.host_to_card(adapter,
MWIFIEX_USB_EP_CMD_EVENT,
sleep_cfm_tmp, NULL);
Reported by FlawFinder.
Line: 848
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (adapter->curr_cmd->data_buf) {
hostcmd = adapter->curr_cmd->data_buf;
hostcmd->len = size;
memcpy(hostcmd->cmd, resp, size);
}
}
/* Get BSS number and corresponding priv */
priv = mwifiex_get_priv_by_id(adapter,
Reported by FlawFinder.
Line: 1466
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->command = cpu_to_le16(HostCmd_CMD_GET_HW_SPEC);
cmd->size =
cpu_to_le16(sizeof(struct host_cmd_ds_get_hw_spec) + S_DS_GEN);
memcpy(hw_spec->permanent_addr, priv->curr_addr, ETH_ALEN);
return 0;
}
/*
Reported by FlawFinder.
drivers/net/wwan/wwan_hwsim.c
4 issues
Line: 159
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((i + 1) < in->len && in->data[i + 1] == '\n')
i++;
n = i - s + 1;
memcpy(skb_put(out, n), &in->data[s], n);/* Echo */
memcpy(skb_put(out, 6), "\r\nOK\r\n", 6);
s = i + 1;
port->pstate = AT_PARSER_WAIT_A;
} else if (port->pstate == AT_PARSER_SKIP_LINE) {
if (c != '\r')
Reported by FlawFinder.
Line: 160
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i++;
n = i - s + 1;
memcpy(skb_put(out, n), &in->data[s], n);/* Echo */
memcpy(skb_put(out, 6), "\r\nOK\r\n", 6);
s = i + 1;
port->pstate = AT_PARSER_WAIT_A;
} else if (port->pstate == AT_PARSER_SKIP_LINE) {
if (c != '\r')
continue;
Reported by FlawFinder.
Line: 173
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (i > s) {
/* Echo the processed portion of a not yet completed command */
n = i - s;
memcpy(skb_put(out, n), &in->data[s], n);
}
consume_skb(in);
wwan_port_rx(wport, out);
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct wwan_hwsim_port *wwan_hwsim_port_new(struct wwan_hwsim_dev *dev)
{
struct wwan_hwsim_port *port;
char name[0x10];
int err;
port = kzalloc(sizeof(*port), GFP_KERNEL);
if (!port)
return ERR_PTR(-ENOMEM);
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas/if_sdio.c
4 issues
Line: 222
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = (priv->resp_idx == 0) ? 1 : 0;
BUG_ON(priv->resp_len[i]);
priv->resp_len[i] = size;
memcpy(priv->resp_buf[i], buffer, size);
lbs_notify_command_response(priv, i);
spin_unlock_irqrestore(&priv->driver_lock, flags);
ret = 0;
Reported by FlawFinder.
Line: 476
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chunk_size = min_t(size_t, size, 60);
*((__le32*)chunk_buffer) = cpu_to_le32(chunk_size);
memcpy(chunk_buffer + 4, firmware, chunk_size);
/*
lbs_deb_sdio("sending %d bytes chunk\n", chunk_size);
*/
ret = sdio_writesb(card->func, card->ioport,
chunk_buffer, 64);
Reported by FlawFinder.
Line: 613
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (req_size) {
chunk_size = min_t(size_t, req_size, 512);
memcpy(chunk_buffer, firmware, chunk_size);
/*
lbs_deb_sdio("sending %d bytes (%d bytes) chunk\n",
chunk_size, (chunk_size + 31) / 32 * 32);
*/
ret = sdio_writesb(card->func, card->ioport,
Reported by FlawFinder.
Line: 948
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
packet->buffer[2] = type;
packet->buffer[3] = 0;
memcpy(packet->buffer + 4, buf, nb);
spin_lock_irqsave(&card->lock, flags);
if (!card->packets)
card->packets = packet;
Reported by FlawFinder.
drivers/net/wireless/ti/wl1251/debugfs.c
4 issues
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos) \
{ \
struct wl1251 *wl = file->private_data; \
char buf[buflen]; \
int res; \
\
res = scnprintf(buf, buflen, fmt "\n", ##value); \
return simple_read_from_buffer(userbuf, count, ppos, buf, res); \
} \
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos) \
{ \
struct wl1251 *wl = file->private_data; \
char buf[buflen]; \
int res; \
\
wl1251_debugfs_update_stats(wl); \
\
res = scnprintf(buf, buflen, fmt "\n", \
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct wl1251 *wl = file->private_data;
u32 queue_len;
char buf[20];
int res;
queue_len = skb_queue_len(&wl->tx_queue);
res = scnprintf(buf, sizeof(buf), "%u\n", queue_len);
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct wl1251 *wl = file->private_data;
char buf[3], status;
int len;
if (wl->tx_queue_stopped)
status = 's';
else
Reported by FlawFinder.
drivers/net/wireless/ti/wl1251/cmd.c
4 issues
Line: 188
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bitmap_len, PARTIAL_VBM_MAX);
bitmap_len = PARTIAL_VBM_MAX;
}
memcpy(vbm->tim.pvb_field, bitmap, bitmap_len);
vbm->tim.identity = identity;
vbm->tim.length = bitmap_len + 3;
vbm->len = cpu_to_le16(bitmap_len + 5);
Reported by FlawFinder.
Line: 373
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wl1251_error("error in read command result: %d",
cmd->header.status);
memcpy(answer, cmd->value, len);
out:
kfree(cmd);
return ret;
}
Reported by FlawFinder.
Line: 400
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->size = cpu_to_le16(buf_len);
if (buf)
memcpy(cmd->data, buf, buf_len);
ret = wl1251_cmd_send(wl, cmd_id, cmd, cmd_len);
if (ret < 0) {
wl1251_warning("cmd set_template failed: %d", ret);
goto out;
Reported by FlawFinder.
Line: 461
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
cmd->params.ssid_len = len;
memcpy(cmd->params.ssid, ssid, len);
}
ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
if (ret < 0) {
wl1251_error("cmd scan failed: %d", ret);
Reported by FlawFinder.
drivers/scsi/arm/acornscsi.c
4 issues
Line: 2510
return 0;
}
DEF_SCSI_QCMD(acornscsi_queuecmd)
enum res_abort { res_not_running, res_success, res_success_clear, res_snooze };
/*
* Prototype: enum res acornscsi_do_abort(struct scsi_cmnd *SCpnt)
Reported by Cppcheck.
Line: 2746
Column: 10
CWE codes:
134
Suggestion:
Make format string constant
p = string;
p += sprintf(string, "%s at port %08lX irq %d v%d.%d.%d"
#ifdef CONFIG_SCSI_ACORNSCSI_SYNC
" SYNC"
#endif
#ifdef CONFIG_SCSI_ACORNSCSI_TAGGED_QUEUE
" TAG"
Reported by FlawFinder.
Line: 1441
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static
void acornscsi_message(AS_Host *host)
{
unsigned char message[16];
unsigned int msgidx = 0, msglen = 1;
do {
message[msgidx] = acornscsi_readmessagebyte(host);
Reported by FlawFinder.
Line: 2742
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const
char *acornscsi_info(struct Scsi_Host *host)
{
static char string[100], *p;
p = string;
p += sprintf(string, "%s at port %08lX irq %d v%d.%d.%d"
#ifdef CONFIG_SCSI_ACORNSCSI_SYNC
Reported by FlawFinder.
drivers/pci/controller/pcie-altera.c
4 issues
Line: 322
Column: 35
CWE codes:
120
20
}
static void get_tlp_header(struct altera_pcie *pcie, u8 bus, u32 devfn,
int where, u8 byte_en, bool read, u32 *headers)
{
u8 cfg;
u8 cfg0 = read ? pcie->pcie_data->cfgrd0 : pcie->pcie_data->cfgwr0;
u8 cfg1 = read ? pcie->pcie_data->cfgrd1 : pcie->pcie_data->cfgwr1;
u8 tag = read ? TLP_READ_TAG : TLP_WRITE_TAG;
Reported by FlawFinder.
Line: 325
Column: 12
CWE codes:
120
20
int where, u8 byte_en, bool read, u32 *headers)
{
u8 cfg;
u8 cfg0 = read ? pcie->pcie_data->cfgrd0 : pcie->pcie_data->cfgwr0;
u8 cfg1 = read ? pcie->pcie_data->cfgrd1 : pcie->pcie_data->cfgwr1;
u8 tag = read ? TLP_READ_TAG : TLP_WRITE_TAG;
if (pcie->pcie_data->version == ALTERA_PCIE_V1)
cfg = (bus == pcie->root_bus_nr) ? cfg0 : cfg1;
Reported by FlawFinder.
Line: 326
Column: 12
CWE codes:
120
20
{
u8 cfg;
u8 cfg0 = read ? pcie->pcie_data->cfgrd0 : pcie->pcie_data->cfgwr0;
u8 cfg1 = read ? pcie->pcie_data->cfgrd1 : pcie->pcie_data->cfgwr1;
u8 tag = read ? TLP_READ_TAG : TLP_WRITE_TAG;
if (pcie->pcie_data->version == ALTERA_PCIE_V1)
cfg = (bus == pcie->root_bus_nr) ? cfg0 : cfg1;
else
Reported by FlawFinder.
Line: 327
Column: 11
CWE codes:
120
20
u8 cfg;
u8 cfg0 = read ? pcie->pcie_data->cfgrd0 : pcie->pcie_data->cfgwr0;
u8 cfg1 = read ? pcie->pcie_data->cfgrd1 : pcie->pcie_data->cfgwr1;
u8 tag = read ? TLP_READ_TAG : TLP_WRITE_TAG;
if (pcie->pcie_data->version == ALTERA_PCIE_V1)
cfg = (bus == pcie->root_bus_nr) ? cfg0 : cfg1;
else
cfg = (bus > S10_RP_SECONDARY(pcie)) ? cfg0 : cfg1;
Reported by FlawFinder.
drivers/s390/virtio/virtio_ccw.c
4 issues
Line: 878
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_free;
spin_lock_irqsave(&vcdev->lock, flags);
memcpy(vcdev->config, config_area, offset + len);
if (vcdev->config_ready < offset + len)
vcdev->config_ready = offset + len;
spin_unlock_irqrestore(&vcdev->lock, flags);
if (buf)
memcpy(buf, config_area + offset, len);
Reported by FlawFinder.
Line: 883
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vcdev->config_ready = offset + len;
spin_unlock_irqrestore(&vcdev->lock, flags);
if (buf)
memcpy(buf, config_area + offset, len);
out_free:
ccw_device_dma_free(vcdev->cdev, config_area, VIRTIO_CCW_CONFIG_SIZE);
ccw_device_dma_free(vcdev->cdev, ccw, sizeof(*ccw));
}
Reported by FlawFinder.
Line: 912
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (vcdev->config_ready < offset)
virtio_ccw_get_config(vdev, 0, NULL, offset);
spin_lock_irqsave(&vcdev->lock, flags);
memcpy(&vcdev->config[offset], buf, len);
/* Write the config area to the host. */
memcpy(config_area, vcdev->config, sizeof(vcdev->config));
spin_unlock_irqrestore(&vcdev->lock, flags);
ccw->cmd_code = CCW_CMD_WRITE_CONF;
ccw->flags = 0;
Reported by FlawFinder.
Line: 914
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spin_lock_irqsave(&vcdev->lock, flags);
memcpy(&vcdev->config[offset], buf, len);
/* Write the config area to the host. */
memcpy(config_area, vcdev->config, sizeof(vcdev->config));
spin_unlock_irqrestore(&vcdev->lock, flags);
ccw->cmd_code = CCW_CMD_WRITE_CONF;
ccw->flags = 0;
ccw->count = offset + len;
ccw->cda = (__u32)(unsigned long)config_area;
Reported by FlawFinder.
drivers/scsi/bfa/bfa_plog.h
4 issues
Line: 45
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 rsvd;
u16 misc; /* can be used to indicate fc frame length */
union {
char string_log[BFA_PL_STRING_LOG_SZ];
u32 int_log[BFA_PL_INT_LOG_SZ];
} log_entry;
};
Reported by FlawFinder.
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BFA_PL_MID_STRLEN 8
struct bfa_plog_mid_strings_s {
char m_str[BFA_PL_MID_STRLEN];
};
/*
* the following #defines will be used by the logging entities to indicate
* their event type. BFAL will convert the integer value to string format
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BFA_PL_ENAME_STRLEN 8
struct bfa_plog_eid_strings_s {
char e_str[BFA_PL_ENAME_STRLEN];
};
#define BFA_PL_SIG_LEN 8
#define BFA_PL_SIG_STR "12pl123"
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* per port circular log buffer
*/
struct bfa_plog_s {
char plog_sig[BFA_PL_SIG_LEN]; /* Start signature */
u8 plog_enabled;
u8 rsvd[7];
u32 ticks;
u16 head;
u16 tail;
Reported by FlawFinder.