The following issues were found
drivers/pinctrl/pinctrl-zynqmp.c
4 issues
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* and function group names supporting that function.
*/
struct zynqmp_pmux_function {
char name[MAX_FUNC_NAME_LEN];
const char * const *groups;
unsigned int ngroups;
};
/**
Reported by FlawFinder.
Line: 499
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(groups, &payload[1], PINCTRL_GET_FUNC_GROUPS_RESP_LEN);
return 0;
}
static int zynqmp_pinctrl_get_func_num_groups(u32 fid, unsigned int *ngroups)
Reported by FlawFinder.
Line: 602
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the return value for this specific qid.
*/
zynqmp_pm_query_data(qdata, payload);
memcpy(name, payload, PINCTRL_GET_FUNC_NAME_RESP_LEN);
}
static int zynqmp_pinctrl_get_num_functions(unsigned int *nfuncs)
{
struct zynqmp_pm_query_data qdata = {0};
Reported by FlawFinder.
Line: 636
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(groups, &payload[1], PINCTRL_GET_PIN_GROUPS_RESP_LEN);
return 0;
}
static void zynqmp_pinctrl_group_add_pin(struct zynqmp_pctrl_group *group,
Reported by FlawFinder.
drivers/s390/scsi/zfcp_fc.h
4 issues
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct zfcp_fc_gspn_rsp {
struct fc_ct_hdr ct_hdr;
struct fc_gspn_resp gspn;
char name[FC_SYMBOLIC_NAME_SIZE];
} __packed;
/**
* struct zfcp_fc_rspn_req - container for ct header plus RSPN_ID request
* @ct_hdr: FC GS common transport header
Reported by FlawFinder.
Line: 118
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct zfcp_fc_rspn_req {
struct fc_ct_hdr ct_hdr;
struct fc_ns_rspn rspn;
char name[FC_SYMBOLIC_NAME_SIZE];
} __packed;
/**
* struct zfcp_fc_req - Container for FC ELS and CT requests sent from zfcp
* @ct_els: data required for issuing fsf command
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (scsi->sc_data_direction == DMA_TO_DEVICE)
fcp->fc_flags |= FCP_CFL_WRDATA;
memcpy(fcp->fc_cdb, scsi->cmnd, scsi->cmd_len);
datalen = scsi_bufflen(scsi);
fcp->fc_dl = cpu_to_be32(datalen);
if (scsi_get_prot_type(scsi) == SCSI_PROT_DIF_TYPE1) {
Reported by FlawFinder.
Line: 298
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sense += be32_to_cpu(fcp_rsp->ext.fr_rsp_len);
sense_len = min_t(u32, be32_to_cpu(fcp_rsp->ext.fr_sns_len),
SCSI_SENSE_BUFFERSIZE);
memcpy(scsi->sense_buffer, sense, sense_len);
}
if (unlikely(rsp_flags & FCP_RESID_UNDER)) {
resid = be32_to_cpu(fcp_rsp->ext.fr_resid);
scsi_set_resid(scsi, resid);
Reported by FlawFinder.
drivers/rtc/rtc-88pm80x.c
4 issues
Line: 102
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pm80x_rtc_read_time(struct device *dev, struct rtc_time *tm)
{
struct pm80x_rtc_info *info = dev_get_drvdata(dev);
unsigned char buf[4];
unsigned long ticks, base, data;
regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4);
base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
(buf[1] << 8) | buf[0];
dev_dbg(info->dev, "%x-%x-%x-%x\n", buf[0], buf[1], buf[2], buf[3]);
Reported by FlawFinder.
Line: 123
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pm80x_rtc_set_time(struct device *dev, struct rtc_time *tm)
{
struct pm80x_rtc_info *info = dev_get_drvdata(dev);
unsigned char buf[4];
unsigned long ticks, base, data;
ticks = rtc_tm_to_time64(tm);
/* load 32-bit read-only counter */
Reported by FlawFinder.
Line: 147
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int pm80x_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
{
struct pm80x_rtc_info *info = dev_get_drvdata(dev);
unsigned char buf[4];
unsigned long ticks, base, data;
int ret;
regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4);
base = ((unsigned long)buf[3] << 24) | (buf[2] << 16) |
Reported by FlawFinder.
Line: 175
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pm80x_rtc_info *info = dev_get_drvdata(dev);
struct rtc_time now_tm, alarm_tm;
unsigned long ticks, base, data;
unsigned char buf[4];
int mask;
regmap_update_bits(info->map, PM800_RTC_CONTROL, PM800_ALARM1_EN, 0);
regmap_raw_read(info->map, PM800_RTC_EXPIRE2_1, buf, 4);
Reported by FlawFinder.
drivers/s390/char/sclp.c
4 issues
Line: 710
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
remaining -= evbuf->length;
if (evbuf->flags & 0x80) {
sccb->length -= evbuf->length;
memcpy(evbuf, (void *) ((addr_t) evbuf + evbuf->length),
remaining);
} else {
unprocessed++;
evbuf = (struct evbuf_header *)
((addr_t) evbuf + evbuf->length);
Reported by FlawFinder.
Line: 986
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t con_pages_show(struct device_driver *dev, char *buf)
{
return sprintf(buf, "%i\n", sclp_console_pages);
}
static DRIVER_ATTR_RO(con_pages);
static ssize_t con_drop_show(struct device_driver *dev, char *buf)
Reported by FlawFinder.
Line: 993
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t con_drop_show(struct device_driver *dev, char *buf)
{
return sprintf(buf, "%i\n", sclp_console_drop);
}
static DRIVER_ATTR_RO(con_drop);
static ssize_t con_full_show(struct device_driver *dev, char *buf)
Reported by FlawFinder.
Line: 1000
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t con_full_show(struct device_driver *dev, char *buf)
{
return sprintf(buf, "%lu\n", sclp_console_full);
}
static DRIVER_ATTR_RO(con_full);
static struct attribute *sclp_drv_attrs[] = {
Reported by FlawFinder.
drivers/pci/endpoint/pci-ep-cfs.c
4 issues
Line: 201
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t pci_epc_start_show(struct config_item *item, char *page)
{
return sprintf(page, "%d\n",
to_pci_epc_group(item)->start);
}
CONFIGFS_ATTR(pci_epc_, start);
Reported by FlawFinder.
Line: 324
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct pci_epf *epf = to_pci_epf_group(item)->epf; \
if (WARN_ON_ONCE(!epf->header)) \
return -EINVAL; \
return sprintf(page, "0x%04x\n", epf->header->_name); \
}
#define PCI_EPF_HEADER_W_u32(_name) \
static ssize_t pci_epf_##_name##_store(struct config_item *item, \
const char *page, size_t len) \
Reported by FlawFinder.
Line: 393
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t pci_epf_msi_interrupts_show(struct config_item *item,
char *page)
{
return sprintf(page, "%d\n",
to_pci_epf_group(item)->epf->msi_interrupts);
}
static ssize_t pci_epf_msix_interrupts_store(struct config_item *item,
const char *page, size_t len)
Reported by FlawFinder.
Line: 415
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t pci_epf_msix_interrupts_show(struct config_item *item,
char *page)
{
return sprintf(page, "%d\n",
to_pci_epf_group(item)->epf->msix_interrupts);
}
PCI_EPF_HEADER_R(vendorid)
PCI_EPF_HEADER_W_u16(vendorid)
Reported by FlawFinder.
drivers/net/wireless/marvell/libertas/if_usb.c
4 issues
Line: 348
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
extra __le32 field in between the header and the data,
which is not in the struct fwheader in the actual
firmware binary. Insert the seqnum in the middle... */
memcpy(&fwdata->hdr, &firmware[cardp->totalbytes],
sizeof(struct fwheader));
cardp->fwlastblksent = cardp->totalbytes;
cardp->totalbytes += sizeof(struct fwheader);
Reported by FlawFinder.
Line: 354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cardp->fwlastblksent = cardp->totalbytes;
cardp->totalbytes += sizeof(struct fwheader);
memcpy(fwdata->data, &firmware[cardp->totalbytes],
le32_to_cpu(fwdata->hdr.datalength));
lbs_deb_usb2(&cardp->udev->dev, "Data length = %d\n",
le32_to_cpu(fwdata->hdr.datalength));
Reported by FlawFinder.
Line: 635
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = (priv->resp_idx == 0) ? 1 : 0;
BUG_ON(priv->resp_len[i]);
priv->resp_len[i] = (recvlength - MESSAGE_HEADER_LEN);
memcpy(priv->resp_buf[i], recvbuff + MESSAGE_HEADER_LEN,
priv->resp_len[i]);
kfree_skb(skb);
lbs_notify_command_response(priv, i);
spin_unlock_irqrestore(&priv->driver_lock, flags);
Reported by FlawFinder.
Line: 741
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
priv->dnld_sent = DNLD_DATA_SENT;
}
memcpy((cardp->ep_out_buf + MESSAGE_HEADER_LEN), payload, nb);
return usb_tx_block(cardp, cardp->ep_out_buf, nb + MESSAGE_HEADER_LEN);
}
/**
Reported by FlawFinder.
drivers/pci/hotplug/acpiphp_ibm.c
4 issues
Line: 52
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
union apci_descriptor {
struct {
char sig[4];
u8 len;
} header;
struct {
u8 type;
u8 len;
Reported by FlawFinder.
Line: 146
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret) {
ret = kmalloc(sizeof(union apci_descriptor), GFP_KERNEL);
if (ret)
memcpy(ret, des, sizeof(union apci_descriptor));
}
kfree(table);
return ret;
}
Reported by FlawFinder.
Line: 328
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = 0;
for (i = 0; i < package->package.count; i++) {
memcpy(&lbuf[size],
package->package.elements[i].buffer.pointer,
package->package.elements[i].buffer.length);
size += package->package.elements[i].buffer.length;
}
Reported by FlawFinder.
Line: 367
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (pos == 0) {
bytes_read = ibm_get_table_from_acpi(&table);
if (bytes_read > 0 && bytes_read <= size)
memcpy(buffer, table, bytes_read);
kfree(table);
}
return bytes_read;
}
Reported by FlawFinder.
drivers/rtc/rtc-ds1307.c
4 issues
Line: 455
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ds1337_set_alarm(struct device *dev, struct rtc_wkalrm *t)
{
struct ds1307 *ds1307 = dev_get_drvdata(dev);
unsigned char regs[9];
u8 control, status;
int ret;
dev_dbg(dev, "%s secs=%d, mins=%d, "
"hours=%d, mday=%d, enabled=%d, pending=%d\n",
Reported by FlawFinder.
Line: 777
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int mcp794xx_set_alarm(struct device *dev, struct rtc_wkalrm *t)
{
struct ds1307 *ds1307 = dev_get_drvdata(dev);
unsigned char regs[10];
int wday, ret;
wday = mcp794xx_alm_weekday(dev, &t->time);
if (wday < 0)
return wday;
Reported by FlawFinder.
Line: 1363
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (ret)
return ret;
return sprintf(buf, "%d\n", temp);
}
static SENSOR_DEVICE_ATTR(temp1_input, 0444, ds3231_hwmon_show_temp,
NULL, 0);
static struct attribute *ds3231_hwmon_attrs[] = {
Reported by FlawFinder.
Line: 1725
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct chip_desc *chip;
bool want_irq;
bool ds1307_can_wakeup_device = false;
unsigned char regs[8];
struct ds1307_platform_data *pdata = dev_get_platdata(&client->dev);
u8 trickle_charger_setup = 0;
ds1307 = devm_kzalloc(&client->dev, sizeof(struct ds1307), GFP_KERNEL);
if (!ds1307)
Reported by FlawFinder.
drivers/net/xen-netback/netback.c
4 issues
Line: 349
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GNTMAP_host_map | GNTMAP_readonly,
txp->gref, queue->vif->domid);
memcpy(&queue->pending_tx_info[pending_idx].req, txp,
sizeof(*txp));
queue->pending_tx_info[pending_idx].extra_count = extra_count;
}
static inline struct sk_buff *xenvif_alloc_skb(unsigned int size)
Reported by FlawFinder.
Line: 637
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(&extras[extra.type - 1], &extra, sizeof(extra));
} while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE);
return work_to_do;
}
Reported by FlawFinder.
Line: 1016
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
frag_set_pending_idx(&skb_shinfo(skb)->frags[0],
INVALID_PENDING_IDX);
memcpy(&queue->pending_tx_info[pending_idx].req,
&txreq, sizeof(txreq));
queue->pending_tx_info[pending_idx].extra_count =
extra_count;
}
Reported by FlawFinder.
Line: 1098
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
skb_shinfo(skb)->destructor_arg = NULL;
/* Fill the skb with the new (local) frags. */
memcpy(skb_shinfo(skb)->frags, frags, i * sizeof(skb_frag_t));
skb_shinfo(skb)->nr_frags = i;
skb->truesize += i * PAGE_SIZE;
return 0;
}
Reported by FlawFinder.
drivers/net/wireless/intersil/hostap/hostap_info.c
4 issues
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
memcpy(req.bssid, selected->bssid, ETH_ALEN);
req.channel = selected->chid;
spin_unlock_irqrestore(&local->lock, flags);
PDEBUG(DEBUG_EXTRA, "%s: JoinRequest: BSSID=%pM"
" channel=%d\n",
Reported by FlawFinder.
Line: 283
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Convert to hostscan result format. */
res = (struct hfa384x_scan_result *) pos;
for (i = 0; i < new_count; i++) {
memcpy(&results[i], &res[i],
sizeof(struct hfa384x_scan_result));
results[i].atim = 0;
}
spin_lock_irqsave(&local->lock, flags);
Reported by FlawFinder.
Line: 344
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
for (i = 0; i < new_count; i++) {
memcpy(&results[i], ptr, copy_len);
ptr += result_size;
left -= result_size;
}
if (left) {
Reported by FlawFinder.
Line: 443
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (connected) {
netif_carrier_on(local->dev);
netif_carrier_on(local->ddev);
memcpy(wrqu.ap_addr.sa_data, local->bssid, ETH_ALEN);
} else {
netif_carrier_off(local->dev);
netif_carrier_off(local->ddev);
eth_zero_addr(wrqu.ap_addr.sa_data);
}
Reported by FlawFinder.